The gang behind the REvil Ransomware malware strain, Sodin, continue their global attacks into 2021 after demanding Apple pay a $50 Million ransom by May 1st. Despite initially being declined by Apple, the ransomware gang put the squeeze on the tech giant, leaking details of new products just hours before one of Apple’s yearly product unveilings.
The original attack was launched against Quanta, a Global Fortune 500 manufacturer of electronics, which claims Apple among its customers. The Taiwanese-based company was contracted to assemble Apple products, including Apple Watch, Apple Macbook Air and Pro, and ThinkPad, from an Apple-provided set of design schematics.
The REvil Ransomware gang breach Quanta’s servers, steal files, and hold them to ransom. According to a statement posted on the criminals’ dark web site – which they call the “Happy Blog” – Quanta refused to pay the ransom, leading the hackers to begin threatening the company’s customers, as well as leaking a set of blueprints for some products to turn up the pressure, adding more would be leaked every day the ransom went unpaid.
REvil decided to start leaking the ripped off files just hours before Apple’s Spring Loaded event on Tuesday, including schematics for some new iMacs it debuted there.
“In order not to wait for the upcoming Apple presentations, today we, the REvil group, will provide data on the upcoming releases of the company so beloved by many,” according to REvil’s blog post, the report said. “Tim Cook can say thank you Quanta. From our side, a lot of time has been devoted to solving this problem.”
The REvil Ransomware gang has demanded a $50 Million ransom by May 1st. Sodin aren’t particularly known to mess about with ransoms – In the past, they have been strict with deadlines.
“The REvil ransomware gang doesn’t make false promises,” observed Ivan Pittaluga, CTO of enterprise security firm ArcServe said, “They’re notoriously known for leaking data if their demands aren’t met.”
REvil are believed to have made at least $100 Million in 2020, and 2021 looks like it will strengthen their finances even more.
REvil Ransomware Analysis
Deployments of REvil first were observed a few years ago, where attackers leveraged a vulnerability in Oracle WebLogic servers tracked as CVE-2019-2725. It is highly configurable, and it can be customized to behave differently depending on the host. This makes it a highly attractive RaaS client. Some of its features include:
- Exploits a kernel privilege escalation vulnerability to gain SYSTEM privileges using CVE-2018-8453.
- Whitelists files, folders and extensions from encryption.
- Kills specific processes and services prior to encryption.
- Encrypts files on local and network storage.
- Customizes the name and body of the ransom note, and the contents of the background image.
- Exfiltrates encrypted information on the infected host to remote controllers.
- REvil uses Hypertext Transfer Protocol Secure (HTTPS) for communication with its controllers.
REvil was first advertised on Russian-language cybercrime forums. The main actor associated with advertising and promoting REvil ransomware is called Unknown aka UNKN. The RaaS is operated as an affiliate service, where affiliates spread the malware by acquiring victims and the REvil operators maintain the malware and payment infrastructure. Affiliates receive 60% to 70% of the ransom payment.
Unkown has acknowledged that his Ransomware is based on the now-retired GrandCrab Ransomware, saying, “We used to be affiliates of the GandCrab affiliate program. We bought the source code and started our own business. We developed custom features for our purposes”
REvil ransomware exploits a kernel privilege escalation vulnerability in win32k.sys tracked as CVE-2018-8453 to gain SYSTEM privileges on the infected host. If the configuration instructs a sample to execute this exploit, it will allocate executable memory, decrypt the exploit code in the newly allocated region and invoke it.
Protection
REvil and other Ransomware clients are some of the most common and deadly cybersecurity threats out there today. Families and businesses should be aware of these threats, and equip the right tools to tackle them. One of these tools is SaferNet.
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.