An attack perpetrated by REvil aka Sodinokibi ransomware gang against Managed Service Providers (MSPs) and their clients was discovered on July 2. Some of the victims have reportedly been compromised through a popular MSP software which led to encryption of their customers. The total number of encrypted businesses could run into thousands.
REvil ransomware has been advertised on underground forums for three years and it is one of the most prolific RaaS operations. According to an interview with the REvil operator, the gang earned over $100 million from its operations in 2020. The group’s activity was first observed in April 2019 after the shutdown of GandCrab, another now-defunct ransomware gang. More details about that gang can be found in our articles Ransomware world in 2021: who, how and why and Sodin ransomware exploits Windows vulnerability and processor architecture.
In this latest case, the attackers deployed a malicious dropper via the PowerShell script, which, in turn, was executed through the vendor’s agent:
This script disables Microsoft Defender features and then uses the certutil.exe utility to decode a malicious executable (agent.exe) that drops a legitimate Microsoft binary (MsMpEng.exe, an older version of Microsoft Defender) and malicious library (mpsvc.dll), which is the REvil ransomware. This library is then loaded by the legitimate MsMpEng.exe by utilizing the DLL side-loading technique (T1574.002).
Execution map for the “agent.exe” dropper – Kaspersky Cloud Sandbox
Using our Threat Intelligence service, we observed more than 5,000 attack attempts in 22 countries by the time of writing.
Geography of attack attempts (based on KSN statistics)
REvil uses the Salsa20 symmetric stream algorithm for encrypting the content of files and the keys for it with an elliptic curve asymmetric algorithm. Decryption of files affected by this malware is impossible without the cybercriminals’ keys due to the secure cryptographic scheme and implementation used in the malware.
Kaspersky products protect against this threat and detect it with the following names:
- PDM:Trojan.Win32.Generic (with Behavior Detection)
Section of Kaspersky TIP lookup page for the 0x561CFFBABA71A6E8CC1CDCEDA990EAD4 binary
The vendor whose software was reportedly compromised, issued a special advisory which is being periodically updated.
To keep your company protected against ransomware 2.0 attacks, Kaspersky experts recommend:
- Not exposing remote desktop services (such as RDP) to public networks unless absolutely necessary and always using strong passwords for them.
- Promptly installing available patches for commercial VPN solutions providing access for remote employees and acting as gateways in your network.
- Always keeping software updated on all the devices you use to prevent ransomware from exploiting vulnerabilities.
- Focusing your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to the outgoing traffic to detect cybercriminals’ connections. Back up data regularly. Make sure you can quickly access it in an emergency when needed. Use the latest Threat Intelligence information to stay aware of actual TTPs used by threat actors.
- Using solutions like Kaspersky Endpoint Detection and Response and the Kaspersky Managed Detection and Response service which help to identify and stop attacks at the early stages, before the attackers reach their main goals.
- Protecting the corporate environment and educating your employees. Dedicated training courses can help, such as those provided in the Kaspersky Automated Security Awareness Platform. A free lesson on how to protect against ransomware attacks is available here.
- Using a reliable endpoint security solution such as Kaspersky Endpoint Security for Business that is powered by exploit prevention, behavior detection and a remediation engine that can roll back malicious actions. KESB also has self-defense mechanisms that can prevent its removal by cybercriminals.
Indicators of Compromise
agent.cer (encrypted agent.exe)