/
Ransomware Containment

Stopping REvil: How Illumio Can Disrupt One of the Most Prolific Ransomware Groups

Ransomware groups come and go. But few have the name recognition of REvil. Also known as Sodinokibi, the group and its affiliates have been responsible for some of the most audacious breaches of the past 12-18 months. These include raids on a celebrity law firm and a meat processing giant, which netted the attackers $11m. Other notable campaigns include the sophisticated attack on IT software firm Kaseya and the compromise of Taiwanese manufacturer and Apple client Quanta Computer.

The latter two are notable for their outrageous ransom demands, $70 million and $50 million, respectively. But also because they exploited global supply chains, albeit in different ways, to further their goals.

And while REvil has recently been disrupted by arrests and sanctions, the group is reportedly continuing operations. The good news is that with Illumio on hand to map, monitor and block high-risk network connections, you can mitigate the REvil threat — and that of whatever iterations follow if the group ultimately disappears.

Why are supply chain attacks dangerous?

Ransomware attacks on the supply chain are dangerous because they can disrupt the entire network of interconnected businesses. These attacks can halt production, delay deliveries, and cause significant financial losses.

Additionally, they can lead to data breaches, exposing sensitive information across multiple organizations, which undermines trust and damages reputations.

The interdependence within supply chains means that an attack on one entity can have a cascading effect, impacting many other businesses and potentially leading to widespread economic consequences.

The April 2021 raid on Quanta Computer was smart. As a key contract manufacturing partner for Apple, it has access to some highly sensitive blueprints and product IP. It also, REvil calculated, may be less well protected than the Cupertino tech giant.

When Quanta refused to pay, the group went to Apple to demand the ransom, or else they’d leak or sell the stolen documents. We don’t know if they succeeded, but all data relating to the raid was subsequently removed from the REvil leak site, according to reports.

What does this incident tell us? First, your organization may become a ransomware/REvil target if it does business with high-value partners. And second, you’re only as secure as your least secure suppliers.

How does REvil work?

The Quanta attack itself contained some unique elements. But the broad pattern — exploiting vulnerable, outward-facing software or services — has been used in countless campaigns. 

In this case, REvil targeted a vulnerability in Oracle WebLogic software. This enabled the threat actors to force a compromised server to download and execute malware without any user action. There were two main stages:

  1. The attackers made an HTTP connection to an unpatched WebLogic server, then forced it to download the Sodinokibi ransomware variant. They used a PowerShell command to download a file named “radm.exe” from malicious IP addresses, and then forced the server to save the file locally and execute it.
  2. The attackers attempted to encrypt data in the user’s directory, and to disrupt data recovery by deleting “shadow copies” of the encrypted data that Windows automatically creates.

How can you stop REvil?

Good cyber hygiene, such as prompt patching of high-risk endpoints, can help to reduce the attack surface for organizations. But beyond this, more comprehensive action can be taken at a network level.

Organizations must understand that even trusted channels and third-party software can become a conduit for malware and ransomware. Mitigating this risk requires segmenting any off-the-shelf solutions from the rest of the environment—especially security tools like endpoint detection and response (EDR) and extended detection and response (XDR).

Enterprises should also consider identifying and restricting any non-essential outbound connections. That means blocking everything except communications to authorized destination IPs, including on ports 80 and 443. This will disrupt threat actors attempting to “call home” to command and control (C&C) servers in order to download additional tooling to progress attacks. It will also block attempts to exfiltrate data out of the organization to servers under their control.

How Illumio can help

Illumio's advanced Zero Trust Segmentation technology delivers effortless, scalable policy management to protect critical assets and isolate ransomware. Illumio empowers security teams to gain visibility into communication flows and high-risk pathways. Then we enforce full segmentation control down to the workload level to drastically reduce your attack surface and minimize the impact of ransomware.

In three simple steps, Illumio can protect your organization from ransomware like REvil:

  1. Map all essential and non-essential outbound communications
  2. Rapidly deploy policy to restrict communications at scale
  3. Monitor any outbound connections that can’t be closed
     

For more best practice guidance on building resilience to ransomware:

Related topics

No items found.

Related articles

Ransomware Reduction 101: Lateral movement between endpoints
Ransomware Containment

Ransomware Reduction 101: Lateral movement between endpoints

Hive Ransomware: How to Limit Its Sting with Illumio Zero Trust Segmentation
Ransomware Containment

Hive Ransomware: How to Limit Its Sting with Illumio Zero Trust Segmentation

Learn more about Hive ransomware and how Illumio can help mitigate risk posed towards your organization.

Contain Ransomware at Its Source With Zero Trust Segmentation
Ransomware Containment

Contain Ransomware at Its Source With Zero Trust Segmentation

Learn why the ransomware threat is so critical and how to achieve ransomware containment with Zero Trust Segmentation.

How to Contain LockBit Ransomware Attacks with Illumio
Ransomware Containment

How to Contain LockBit Ransomware Attacks with Illumio

Discover how LockBit ransomware operates and how Illumio Zero Trust Segmentation contained a LockBit ransomware attack in summer 2022.

3 Steps to Stop Ransomware From Spreading
Ransomware Containment

3 Steps to Stop Ransomware From Spreading

Discover the steps to stop ransomware from spreading by limiting connections, expanding visibility, and improving response time.

Why Firewalls Aren't Enough for Ransomware Containment
Ransomware Containment

Why Firewalls Aren't Enough for Ransomware Containment

Discover the reasons why firewalls are too slow to keep up with threats and why microsegmentation is key for ransomware containment.

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?