A look inside REvil. Unit 42 on ransomware. Vodafone’s big fine. Ransomware goes to school.

At a glance.

• What the criminals behind REvil think they're doing.
• Unit 42's ransomware report.
• Vodaphone's record fine.
• Ransomware disrupts an English college.

Inside the minds that operate REvil ransomware.

The REvil ransomware group, also known as Sodinokibi or Sodin, is known for using double-extortion tactics against its victims (one of which was former US President Donald Trump), and for its robust ransomware-as-a-service operation, in which developers sell malware to clients or “affiliates” in order to launch their own campaigns. Threatpost reports that the group is currently taking credit for attacks over the past two weeks on nine organizations: law firms, an insurance company, international banks, and a manufacturer located in Africa, Europe, Mexico, and the US. As proof, REvil published some of the documents they claim to have stolen from the victims: computer file directories, customer lists, contracts, and even employer and customer IDs. Rob McLeod, senior director of the Threat Response Unit for eSentire stated, “These attacks come directly on the heels of an extensive and well-planned drive-by-download campaign, which was launched in late December.” Though it’s unclear if payment has been requested, some of the documents disappeared after posting, indicating the victims might have paid up.

Shedding some light on the motivations behind the group’s methods, the Record conducted an interview with an alleged REvil member who calls himself “Unknown.” He claims the gang is steering clear of politics now, as it’s simply not lucrative to side with one party or another. Though he can see the potential of ransomware as a weapon (and alleges the group has affiliates with access to missile launch systems), he states that starting war is not a goal: “It’s not worth it—the consequences are not profitable.” When asked about the impact of COVID-19 on cybercrime, he explains that as a result of the pandemic, fewer victims have the resources to pay, with the exception being pharmaceutical companies, whose pockets have remained deep enough to make them worthwhile targets. He also sees an organization’s use of cyberinsurance as a welcome challenge rather than a deterrent: “Especially to hack the insurers first—to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves.” He warns that corporate negotiators might do the target more harm than good, as haggling will likely only compel the gang to increase their ransom demands in order to make up for lost time and resources.

Unit 42’s Ransomware Threat Report.

The Unit 42 threat intelligence team and the Crypsis incident response team joined forces to publish the 2021 Unit 42 Ransomware Threat Report, an analysis of the global ransomware threat landscape in 2020. Some highlights: 

• Cybercriminals are making more money. The average ransom paid by a target increased from $115,123 in 2019 to $312,493 in 2020. And in 2020, the highest ransomware demand grew from $15 million to $30 million.
• Unsurprisingly, threat actors have been preying on organizations crippled by the pandemic, with the healthcare sector being the most targeted.
• There was an increase in double extortion, the tactic of locking up systems while simultaneously threatening to publish sensitive data. Upwards of sixteen different ransomware variants are now using this approach, with Netwalker being the top offender, leaking data from over one hundred victims. 

Vodafone Spain is issued a record data protection fine. 

Infosecurity Magazine reports that Vodafone Spain has been handed the largest penalty ever to be issued by the Spanish Data Protection Agency (AEPD), four fines totaling $9.72 million. The telecommunications company is being penalized for wrongful telemarketing activities and poor data protection policies. Vodafone conducted unsolicited marketing calls, texts, and emails without consent, even targeting customers who expressly stated they did not want to be contacted. They also executed international data transfers that went against the General Data Protection Regulation and disregarded proper data verification methods. The AEPD declared that Vodafone Spain has no “real, continuous, permanent and audited control” over customer data handling and could not "provide detailed documentation on data protection guarantees." 

Birmingham college crippled by ransomware.

South and City College, a school in Birmingham (and by the way, fellow Americans, that's the Birmingham in the English Midlands, not the one in Alabama) was hit with a serious ransomware incident that caused it to close many of its activities while it investigates and recovers. The College posted this message on its website:

"The College has suffered a major ransomware attack on our IT system which has disabled many of our core IT systems. Access to our college buildings is currently limited, whilst our IT specialists are fixing the problem. Please see our Essential Info for Students page for advice on the gradual return to on-site learning.

"For full details of the cyber-attack and how the college is responding, read our official statement.

"At this time, if you would like to apply for a course or have a query regarding your application please email admissions@sccb.ac.uk.

"Thank you for your cooperation and patience."

The ransomware is believed to have hit the College around midnight this past Friday. Peter Groucutt, Managing Director at Databarracks, wrote with some advice for educational institutions:

"South and City College in Birmingham has not confirmed the specifics of the attack yet, but yesterday, the FBI issued guidance on an 'Increase in PYSA Ransomware Targeting Education Institutions.' The FBI is reporting an increase in PYSA ransomware targeting education institutions in 12 US states and the United Kingdom.

"This is a double extortion attack, both encrypting and exfiltrating data to extort the victims – threatening to release data on the dark web if ransoms are not met. Attackers are gaining access through phishing emails or compromising Remote Desktop Protocol (RDP) credentials.

"It hasn’t been disclosed if it was PYSA ransomware that hit South and City College in Birmingham, but educational institutions should take note. Education is already shouldering enormous demands during the pandemic. Ransomware attacks like this cause significant disruption of days or even weeks and months. 

"Key actions should be to review RDP and warn users about the heightened threat of phishing. Ideally anti-spam tools will prevent phishing emails but they will not prevent every targeted email getting through, vigilant users are vital too. They should also review incident response plans and backup and recovery plans."

Comments are closed.