Over the past week, more information has come to light on the REvil ransomware attack. It seems that the attack what’s launched prematurely as the attackers discovered that a patch was about to be released for the zero-day vulnerability their attack uses. This is an interesting development since many believed that the attack was specifically targeted on the 4th of July weekend but this new evidence would suggest that was purely a coincidence. This timing also explains why the attack hasn’t proven as destructive as it could have been. If you are a victim the FBI has released guidance which has been summed up nicely here but be careful there are some fake updates that will backdoor you with Cobalt Strike. Fortunately, many victims have been able to restore from backups since the REvil attack was remote and couldn’t steal or delete backups.
However, there’s still too much aftermath for President Biden’s liking. He has once again issued a warning that Russia should attempt to arrest cybercriminal gangs operating within their borders. Again, very reminiscent of the exact same thing he said a few weeks ago. It seems unlikely that any tangible action will be taken in the near future due to the shaky relationship between the two countries, just more fist waiting as the ransomware attacks continue to happen.
Want to learn ransomware basics and earn a CPE credit? Try our free course.
At least a brand new website will help us keep track of the staggering amounts paid in ransom. For the curious, Netwalker (Mailto) seems to be currently in the lead at $27.9 million in ransoms.
For those trying to push for cybersecurity as an organizational priority, there is a recent article that you might find helpful in pushing your agenda, as well as a cost-benefit analysis. And if you need something a little more anecdotal to be persuasive, here’s a story about a man that spent 24 years building his business and it all got blown to bits by a single ransomware attack.
There’s a new ransomware service on the block called AvosLocker looking for affiliates through Dread. Unfortunately, there’s not a publicly available sample as of yet however we do know that it appends .avos and its ransom note is GET_YOUR_FILES_BACK.txt. But if you need something to analyze there are two new versions of Stop/Djvu ransomware using the extension .zqqw and .zzla on VirusTotal. There is a Hunt variant using .nohope and the NOHOPE_README.txt note.
If you’re just getting started with ransomware analysis there is a great article going over unpacking Conti.
Additionally, a detection tool was released for the REvil ransomware attack.
Upcoming Security Conferences
The International Conference on Cybersecurity or ICCS is hosted by the FBI and Fordham University and focuses on bringing together government, private sector, and academia to discuss current cyber threats such as ransomware.
This is the largest conference focused exclusively on the ransomware threat. It offers a great opportunity to grow your security knowledge and find new and innovative ways to protect your company.
Black hat is one of the largest annual security conferences. It’s the corporate version of Defcon and as such is a great opportunity to get face time with security professionals such as the Varonis team. Be sure to stop by our booth!