Threat Actor Update: Newly Seen Variant Indicates a Possible REvil Comeback
On April 29, researchers from Avast blocked a ransomware sample in the wild which bears hallmarks of the Russia-based ransomware group REvil. (1) Also in April, REvil’s TOR network infrastructure was brought back online. REvil’s previously used TOR domain re-directs users to sites with new domain names. These sites allegedly contained information on previous REvil victims, as well as new victims. (2) According to one article, a sample of the variant is compiled from REvil’s source code. The sample also leaves a ransomware note identical to REvil’s previous notes. (3)
Over the past year, members of REvil garnered international press after successes and setbacks. REvil carried out a successful attack against Kaseya (6), then going offline allegedly to avoid unwanted attention. (7) The group’s members were arrested and infrastructure was taken offline in late 2021 due to an international law enforcement action. (4, 5) Despite this public success against the group, there were no indications that all REvil members were arrested, nor were there any subsequent announcements that the group ceased operations permanently. It is most likely that REvil members who remained at large throughout the winter and spring 2021 chose this moment to resume operations. The deterioration of Russian relations with the West since February almost certainly guarantees that Moscow will not succumb to international pressure to act against REvil (or other Russia-based cyber threat actors), giving the group more freedom to restart cyberattacks.
Exploit Tools and Targets: F5 Announces Critical Vulnerability; Security Researchers Develop Trivial Exploit
Software company F5 disclosed in a security advisory last week a vulnerability, now tracked as CVE-2022-1388, which has a “critical” severity score of 9.8/10. (8, 9) The vulnerability allows attackers to bypass iControl REST authentication protocols and “execute arbitrary system commands, create or delete files, or disable services.” As of mid-May, social media posts indicated hackers were able to run commands using this exploit without authentication. (15) Versions 11 to 16 of the BIG-IP software are vulnerable to this CVE. (10) Very shortly after disclosure, security researchers were able to create exploits targeting this vulnerability. (11)
EclecticIQ analysts assess vulnerabilities such as these (critical severity but easy to exploit) are likely to be exploited almost immediately by threat actors looking to gain remote access to private networks. So far, it is unclear how widespread the vulnerability is, but F5 claims BIG-IP software is used by 48 of 50 Fortunte50 companies, including banks, telecom providers and government entities. (16) This exploit is judged trivial to execute, so experts urge BIG-IP administrators to install patches immediately, or to update legacy versions of the software not covered by the fix (versions 11 and 12). Details can be found on F5’s CVE-2022-1388 webpage. (10)
New and Noteworthy: U.S. College Cites Ransomware Costs for Permanent Closure
Lincoln College (in Illinois, USA) recently announced it would permanently shut its doors due to the college’s financial duress. In an explanation on its website, the college cited low enrollment due to Covid-19 and the costs and business delays associated with a ransomware attack last December. According to the note, the college’s recruitment and fundraising systems were inoperable until March as a direct result of the ransomware attack, which left the university unable to perform key administrative functions needed to assess the college’s overall wellbeing in a timely manner. (12)
This is probably not the first organization to shutter operations entirely after a ransomware attack, and it is unlikely to be the last. It is likely that the ransomware attack was not the sole factor in the decision to close. However, this attack underscores that organizations urgently need to have strong defense and response plans for worst-case cyberattacks. Sophos’ “State of Ransomware 2021” report, published in April 2021, noted that while numbers of ransomware attacks declined from the year prior, the amount paid per ransom more than doubled in a 12-month period. In addition, only a small minority (8%) of organizations that paid a ransom received all their data back. (13) In its education-specific report, Sophos reports the total cost of ransomware recovery to an educational institution was $2.73 Million; the highest cost borne across all business sectors measured. (14) EclecticIQ analysts assess the best defense is one which mandates backing up data regularly to a secure alternate location, implementing backup plans and testing the plans by running cyberattack drills. The costs of preparing for and operating under the assumption that ‘it will happen to us, we just don’t know when’ are very likely to be less than post-attack recovery, considering ransom payment, network reconstruction and recovery, and lost production time.
You might also be interested in:
An Accelerating Ransomware Threat Needs a Strong Cyber Defense
Countering the Ransomware Threat When There Is No Silver Bullet
Appendix
- https://twitter.com/JakubKroustek/status/1520135975262957568
- https://www.itpro.com/security/ransomware/367455/revil-ransomware-groups-infrastructure-comes-back-online-hinting-at
- https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/
- https://www.washingtonpost.com/national-security/cyber-command-revil-ransomware/2021/11/03/528e03e6-3517-11ec-9bc4-86107e7b0ab1_story.html
- https://www.europol.europa.eu/newsroom/news/five-affiliates-to-sodinokibi/revil-unplugged
- https://www.bleepingcomputer.com/news/security/kaseya-obtains-universal-decryptor-for-revil-ransomware-victims/
- https://www.france24.com/en/americas/20210714-ransomware-gang-revil-s-websites-go-offline-sparking-speculation
- https://support.f5.com/csp/article/K55879220
- https://nvd.nist.gov/vuln/detail/CVE-2022-1388
- https://support.f5.com/csp/article/K23605346
- https://www.bleepingcomputer.com/news/security/exploits-created-for-critical-f5-big-ip-flaw-install-patch-immediately/
- https://lincolncollege.edu/
- https://www.sophos.com/en-us/press-office/press-releases/2021/04/ransomware-recovery-cost-reaches-nearly-dollar-2-million-more-than-doubling-in-a-year
- https://assets.sophos.com/X24WTUEQ/at/g523b3nmgcfk5r5hc5sns6q/sophos-state-of-ransomware-in-education-2021-wp.pdf
- https://arstechnica.com/information-technology/2022/05/hackers-are-actively-exploiting-big-ip-vulnerability-with-a-9-8-severity-rating/
- https://www.darkreading.com/dr-tech/how-to-check-if-your-f5-big-ip-device-is-vulnerable
- https://www.bleepingcomputer.com/news/security/cisa-tells-federal-agencies-to-fix-actively-exploited-f5-big-ip-bug/
Structured Data
Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.
TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery
You may also download the content as eiq_json, stix1_2, stix2_1.
Please refer to our support page for guidance on how to access the feeds.
About EclecticIQ Threat Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.