Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
Camp BGen Rafael T Crame, Quezon City
ACG-CYBER SECURITY BULLETIN NR 250: UNDERSTANDING THE RISK OF REVIL RANSOMWARE
Reference Number ACG-CSB 052522250
The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.
REvil ransomware is a file-blocking virus that encrypts files after infection and shares a ransom request message. The message explains that the victim must pay a ransom in bitcoin and if it is not paid in time, the demand doubles. To make matters worse, a countdown timer indicates when data leaks will be made public, putting added pressure on companies who have fallen victim to an attack.
If REvil’s demands are not met, they threaten to release the stolen data by auctioning it off on its website “The Happy Blog”. It lists recent victims of REvil and shows a snippet of the stolen data as proof that the information has been stolen from various organizations.
REvil ransomware is one of the ransomware programs deployed during human operated ransomware campaigns. After breaking in, hackers use tools and techniques to map the network, gain access to other internal systems, obtain domain administrator privileges, and deploy the ransomware on all computers to maximize their impact.
The ransomware is distributed through phishing emails and kills processes on the infected machines, like email and other database servers, Microsoft Office programs, browsers, and tools that keep important files backed up. It also deletes Windows copies of files and other backups to prevent file recovery.
REvil ransomware stands apart from other types of ransomware programs through its use of Elliptic-Curve Diffie-Hellman key exchange. These cryptographic algorithms use shorter keys and are highly efficient, making them harder to crack.
While REvil operations have been shut down, it is likely that organizations, government bodies, and perhaps even ordinary consumers will not easily forget the consequences of its attack. Affiliates that have been involved in the attack could take up other ransomware operators, while REvil TTPs can be mimicked in newer campaigns. In the meantime, during the current shutdown, it is a good opportunity to learn from REvil as the group lies low.
To help defend systems against similar threats, organizations can establish security frameworks that can allocate resources systematically for establishing a solid defense against ransomware.
All PNP personnel as well as the public are advised to follow these tips to avoid being a victim of Revil Ransomware:
- Take an inventory of assets and data;
- Identify authorized and unauthorized devices and software;
- Make an audit of event and incident logs;
- Manage hardware and software configurations;
- Grant admin privileges and access only when necessary to an employee’s role;
- Monitor network ports, protocols, and services;
- Activate security configurations on network infrastructure devices such as firewalls and routers;
- Establish a software allow list that only executes legitimate applications;
- Conduct regular vulnerability assessments;
- Perform patching or virtual patching for operating systems and applications;
- Update software and applications to their latest versions;
- Implement data protection, backup, and recovery measures;
- Enable multifactor authentication (MFA);
- Employ sandbox analysis to block malicious emails;
- Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and network;
- Detect early signs of an attack such as the presence of suspicious tools in the system; and
- Use advanced detection technologies such as those powered by AI and machine learning.
For additional information, please refer to the following websites:
POINT OF CONTACT