MENU

Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
ANTI-CYBERCRIME GROUP
Camp BGen Rafael T Crame, Quezon City
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

ACG-CYBER SECURITY BULLETIN NR 250: UNDERSTANDING THE RISK OF REVIL RANSOMWARE

Reference Number ACG-CSB 052522250

         The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as Restricted pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

   REvil ransomware is a file-blocking virus that encrypts files after infection and shares a ransom request message. The message explains that the victim must pay a ransom in bitcoin and if it is not paid in time, the demand doubles. To make matters worse, a countdown timer indicates when data leaks will be made public, putting added pressure on companies who have fallen victim to an attack.

   If REvil’s demands are not met, they threaten to release the stolen data by auctioning it off on its website “The Happy Blog”. It lists recent victims of REvil and shows a snippet of the stolen data as proof that the information has been stolen from various organizations.

   REvil ransomware is one of the ransomware programs deployed during human operated ransomware campaigns. After breaking in, hackers use tools and techniques to map the network, gain access to other internal systems, obtain domain administrator privileges, and deploy the ransomware on all computers to maximize their impact.

   The ransomware is distributed through phishing emails and kills processes on the infected machines, like email and other database servers, Microsoft Office programs, browsers, and tools that keep important files backed up. It also deletes Windows copies of files and other backups to prevent file recovery.

   REvil ransomware stands apart from other types of ransomware programs through its use of Elliptic-Curve Diffie-Hellman key exchange. These cryptographic algorithms use shorter keys and are highly efficient, making them harder to crack.

   While REvil operations have been shut down, it is likely that organizations, government bodies, and perhaps even ordinary consumers will not easily forget the consequences of its attack. Affiliates that have been involved in the attack could take up other ransomware operators, while REvil TTPs can be mimicked in newer campaigns. In the meantime, during the current shutdown, it is a good opportunity to learn from REvil as the group lies low.

   To help defend systems against similar threats, organizations can establish security frameworks that can allocate resources systematically for establishing a solid defense against ransomware.

RECOMMENDATION

            All PNP personnel as well as the public are advised to follow these tips to avoid being a victim of Revil Ransomware:

 

  • Take an inventory of assets and data;
  • Identify authorized and unauthorized devices and software;
  • Make an audit of event and incident logs;
  • Manage hardware and software configurations;
  • Grant admin privileges and access only when necessary to an employee’s role;
  • Monitor network ports, protocols, and services;
  • Activate security configurations on network infrastructure devices such as firewalls and routers;
  • Establish a software allow list that only executes legitimate applications;
  • Conduct regular vulnerability assessments;
  • Perform patching or virtual patching for operating systems and applications;
  • Update software and applications to their latest versions;
  • Implement data protection, backup, and recovery measures;
  • Enable multifactor authentication (MFA);
  • Employ sandbox analysis to block malicious emails;
  • Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and network;
  • Detect early signs of an attack such as the presence of suspicious tools in the system; and
  • Use advanced detection technologies such as those powered by AI and machine learning.

 

For additional information, please refer to the following websites:

 

  • https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil
  • https://www.sitelock.com/blog/what-is-revil-ransomware/

POINT OF CONTACT 

Please contact PMAJ JUN-JUN S DAGURO, Police Community Relations Officer thru e-mail address This email address is being protected from spambots. You need JavaScript enabled to view it. or contact us on telephone number (632) 8723-0401 local 7483 for any inquiries related to this CYBER SECURITY BULLETIN.