Cybersecurity experts from a renowned Threat Intelligence team had recently spotted the new cybergang REvil (also known as Sodinokibi) activity after it exposed itself while trying to put their paws on the Point of Sale or POS systems on one of its targeted victims. The targeted business was said to be a healthcare organization that was unable to pay the blood money they asked as ransom after they encrypt its system.
REvil was said to be a new gang that was claiming to fame in the cybercrime world for its ingenuity and multiple attack success to its targeted organizations. Their name is already making noise on different news posted on different Cybersecurity websites in the past few weeks. The group is ransomware-as-a-service (RaaS) operators that usually targeted multi-million companies such as in the food, healthcare, and services sectors.
The origin of Revil?
According to the rumors, REvil is the rebrand, or a regroup of former cybergang GandCrab after it announces retirement last May. Speculation arose that the change was due to the need to be off the radar after gathering more than $2 billion blood money from its victim. Furthermore, cybersecurity experts believe that both groups operate from the Commonwealth of Independent States (CIS) region from ex-USSR countries, as seen on their attack behavior. Similarities on their modus of operation and code use are also vividly visible from the evidence gathered.
The group usually used Cobalt Strike malware, which is a brute force attack application that allows attackers to install ‘Beacon.’ It has many features that include data transmission, command and control services, access manipulation, shellcode loader, port scanning, and keylogging. This application becomes known to many hackers for its stable and well-written code, which is also easily customizable to fit the need for the targeted business.
How does the POS attack work?
The attack usually starts in compromising a system for the Beacon to be in place. They hid through legitimate services to avoid detection of system scanning as well as disabling security software installed on the targeted network and POS systems. With Beacon’s capability, it will infiltrate information from the infected computer, including gathering administrator access. Once this type of access has been obtained, it can manipulate account creation or deletion for the next phase of the attack. Once the whole network has been compromised, they will start the encryption and then ask for a ransom. The ransom usually ranges from $50,000 to $100,000 worth of Monero Cryptocurrency in a 3-hour deadline. Else, information extracted from the organization will be sold off in the dark web or other companies from which the gathered data are useful.
The exposed activity of the REvil was entirely new based on their reputation from which it became an exciting topic in the Cybersecurity community. Security experts have raised much speculation for their motives in making such an attack. Either it has to be a new plot of aggression that may be used by a ransom group or to cover the failure out from not getting any ransom.
