Another weapon that adds to the already fearsome Ransomware arsenal, in fact, according to Symantec researchers, the REvil infection (also known as Sodinokibi) has been observed scanning its victims’ networks for POS devices.
REvil is one of the most popular Ransomware-as-a-service (RaaS), meaning it is sold on the Dark Web in “ready-made” packages for attack, and is known for its great ability to breach corporate networks using exploits, vulnerable RDP services, phishing, as well as already compromised Managed Service Providers.
The Attack
In their latest campaign, after gaining access to a target’s network, the Criminal Hackers spread laterally, also stealing data from servers and workstations and then encrypting all machines on the network after gaining administrative access to the Domain Controller.
As part of the campaign observed by the researchers, the attackers behind REvil used the Cobalt Strike toolkit to deploy various payloads on their targets’ networks.
In total, the researchers found Cobalt Strike on the networks of eight companies targeted in this campaign, with the attackers infecting and encrypting three companies in the services, food and healthcare sectors with the REvil ransomware.
The companies targeted in this campaign were primarily large enterprises, including multinational corporations, which were likely targeted because the attackers believed they would be willing to pay a large ransom to regain access to their systems.
Each of the victims was asked to pay $50,000 in Monero cryptocurrency or $100,000 if the three-hour deadline expired.
The REvil Criminal Hackers did their best to evade detection after gaining access to their targets’ networks, using infrastructure hosted on legitimate services such as Pastebin (payload storage) and Amazon CloudFront (command and control servers).
They also disabled security software to prevent their attacks from being detected and stole credentials used later to add “rogue” accounts as a way to gain persistence on compromised machines.
Scans for PoS Systems
While food and service companies were the perfect targets, as they were large organizations that could pay a large ransom to have their systems decrypted, the healthcare company hit was much smaller was a smaller organization that failed to meet the ransom.
In this case, likely motivated by the fact that there was a high possibility that the victim would not be able to pay for their “decryptor,” REvil operators also scanned the organization’s network for PoS systems trying to compensate with credit card data or as another valuable target to be encrypted.
While many of the elements of this attack are “typical” tactics seen in previous attacks with Sodinokibi, the scanning of victim systems for PoS software is interesting, as it’s not something you typically see happen during classic ransomware campaigns.
It will be interesting to see if this was just an opportunistic activity or if it’s destined to become a new tactic.
As if that wasn’t enough, earlier this month, REvil ransomware also launched an auction site to sell their victims’ stolen data to the highest bidder.
By Pierguido Iezzi, Co-Founder Swascan