Adaptive Segmentationmicro-segmentation February 11, 2022

Stopping REvil: How Illumio Can Disrupt One of the Most Prolific Ransomware Groups

Ron Isaacson, Field CTO, US East

Ransomware groups come and go. But few have the name recognition of REvil. Also known as Sodinokibi, the group and its affiliates have been responsible for some of the most audacious breaches of the past 12-18 months. These include raids on a celebrity law firm and a meat processing giant, which netted the attackers $11m. Other notable campaigns include the sophisticated attack on IT software firm Kaseya and the compromise of Taiwanese manufacturer and Apple client Quanta Computer.

The latter two are notable for their outrageous ransom demands, $70 million and $50 million, respectively. But also because they exploited global supply chains, albeit in different ways, to further their goals.

And while REvil has recently been disrupted by arrests and sanctions, the group is reportedly continuing operations. The good news is that with Illumio on hand to map, monitor and block high-risk network connections, you can mitigate the REvil threat — and that of whatever iterations follow if the group ultimately disappears.

Why are supply chain attacks dangerous?

The April 2021 raid on Quanta Computer was smart. As a key contract manufacturing partner for Apple, it has access to some highly sensitive blueprints and product IP. It also, REvil calculated, may be less well protected than the Cupertino tech giant. When Quanta refused to pay, the group went to Apple to demand the ransom, or else they’d leak or sell the stolen documents. We don’t know if they succeeded, but all data relating to the raid was subsequently removed from the REvil leak site, according to reports.

What does this incident tell us? First, your organization may become a ransomware/REvil target if it does business with high-value partners. And second, you’re only as secure as your least secure suppliers.

How does REvil work?

The Quanta attack itself contained some unique elements. But the broad pattern — exploiting vulnerable, outward-facing software or services — has been used in countless campaigns. 

In this case, REvil targeted a vulnerability in Oracle WebLogic software. This enabled the threat actors to force a compromised server to download and execute malware without any user action. There were two main stages:

  1. The attackers made an HTTP connection to an unpatched WebLogic server, then forced it to download the Sodinokibi ransomware variant. They used a PowerShell command to download a file named “radm.exe” from malicious IP addresses, and then forced the server to save the file locally and execute it.
  2. The attackers attempted to encrypt data in the user’s directory, and to disrupt data recovery by deleting “shadow copies” of the encrypted data that Windows automatically creates.

How can you stop REvil?

Good cyber hygiene, such as prompt patching of high-risk endpoints, can help to reduce the attack surface for organizations. But beyond this, more comprehensive action can be taken at a network level.

Organizations must understand that even trusted channels and third-party software can become a conduit for malware and ransomware. Mitigating this risk requires segmenting any off-the-shelf solutions from the rest of the environment—especially security tools like endpoint detection and response (EDR) and extended detection and response (XDR).

Enterprises should also consider identifying and restricting any non-essential outbound connections. That means blocking everything except communications to authorized destination IPs, including on ports 80 and 443. This will disrupt threat actors attempting to “call home” to command and control (C&C) servers in order to download additional tooling to progress attacks. It will also block attempts to exfiltrate data out of the organization to servers under their control.

How Illumio can help

Illumio's advanced Zero Trust Segmentation technology delivers effortless, scalable policy management to protect critical assets and isolate ransomware. Illumio empowers security teams to gain visibility into communication flows and high-risk pathways. Then we enforce full segmentation control down to the workload level to drastically reduce your attack surface and minimize the impact of ransomware.

In three simple steps, Illumio can protect your organization from ransomware like REvil:

  1. Map all essential and non-essential outbound communications
  2. Rapidly deploy policy to restrict communications at scale
  3. Monitor any outbound connections that can’t be closed
     

For more best practice guidance on building resilience to ransomware:

Adaptive Segmentationmicro-segmentation
Share this post: