loader image

Reviewing the Latest REvil Ransomware Attacks

Mainstream media has been buzzing recently after a series of leaks were reportedly caused by REvil ransomware attacks. Last week, hackers known as REvil launched a ransomware attack against Grubman Shire Meiselas & Sacks, a prominent law firm with many celebrity clients in the entertainment industry. Making their threats known on a darknet Tor site, the attacker demanded $21 million in exchange for the safe return of 756 gigabytes of sensitive files. When GSMLaw refused the ransom, the attacker published over 2 gigabytes of stolen data, including contracts and expenditure records of Lady Gaga, Lizzo, and Madonna. The attacker also announced a doubling of the ransom to $42 million, claiming they also have dirt on Donald Trump that would be detrimental to his presidential campaign if released.

As with other notable ransomware attacks launched this year, the REvil ransomware attacks utilized a double extortion tactic to attempt to coerce GSMLaw into making large payments. As we discussed earlier this month, double extortion tactics involve a threat on two fronts: the attacker encrypts the target’s data making it unrecoverable, while the attacker retains the original data to expose sensitive, embarrassing, or legally consequential secrets. Unless the target pays up or meets other demands, the malicious actor won’t deliver the decryption key to restore the data. But FBI officials warn that paying an attacker won’t guarantee they will return your data, and they can always break their word and publish stolen data anyway.

In this case, a vulnerability in both local and remote data storage locations at GSMLaw rendered 756 gigabytes of data unrecoverable. The ransomware used for the attack, called Sodinikobi, exploits known vulnerabilities in Oracle WebLogic servers, among others. Keeping your software up to date can prevent some of these kinds of attacks, but it cannot guarantee you protection from zero-day attacks. If your business handles sensitive data, it is increasingly important to test your workstations, servers, and data stores against intrusion.

Celebrities weren’t the only targets of the REvil ransomware attacks, nor the only victims of this variety of ransomware. Sodinikobi rampaged through China late last year through a wide variety of phishing email campaigns. REvil also recently attacked Harvest Sherwood Food Distributors, one of the largest distributors of refrigerated food in the United States, with annual profits exceeding $4 billion. They also attacked prominent 3D imaging company FARO Technologies and stole 1.5 TB of data. In this instance, the attacker targeted a specific employee in the company who was tricked into installing the ransomware. REvil then sent instructions to the employee to deliver notification of ransom to their boss. It is important for business owners to realize that an organization is only as strong as its weakest link. Routine security training and penetration testing are vital components of maintaining enterprise security.

Perhaps the most surprising target of the REvil ransomware attacks is United States President Donald Trump. Publishing again on the same darknet Tor site, REvil actors claimed to have “a ton of dirty laundry” that could damage the President’s chances of re-election. It was initially unclear whether the threat against Trump was genuine because no proof of the hack had been seen. But after publishing a sample of 160 confidential emails, REvil claims to have found a buyer for the rest of the stolen data.

With targets varying so widely in industry and position, it’s hard to see any pattern at all. It could indicate that attackers had the means to cast a very wide net across the country. It could be the case that the attacks weren’t highly targeted, but rather the result of probing for unpatched known exploits across the Internet. REvil is a RaaS, or Ransomware-as-a-Service. This means a single group operates and manages the development of the REvil ransomware while access to the ransomware is purchased by other malicious groups, who are then referred to as “REvil affiliates.” These malicious groups may have been hired by other industry competitors to sabotage the targeted companies.

Experts have repeatedly warned that this form of attack is difficult or impossible to thwart once a device has been infected. Although safeguards like independent off-site backups make it possible to recover lost data, there is no way to reverse your secrets being exposed, nor any guarantee that you won’t be reinfected through negligence, coercion of an employee from your enterprise, or a shift in tactics to discover different exploitable vulnerabilities.

As always, your best defense against ransomware attacks is a comprehensive security strategy that combines multiple independent layers of protection, including Internet safety training, vigilant reporting procedures, offsite data backups, and continuous security assessments. If you believe you have been compromised by ransomware, alert your superiors according to your organization’s security protocols immediately.


Do you want to learn more about cybersecurity? Please subscribe to our newsletter.