REvil ransomware has been a constant threat in the ransomware landscape across the globe this year and they are not stopping. Sol Oriens, which is a subcontractor for the US Department of Energy (DOE) that works on nuclear weapons with the National Nuclear Security Administration (NNSA), was hit with a suspected ransomware attack at the hands of REvil.
In a statement regarding the attack, Sol Oriens explained, “In May 2021, Sol Oriens became aware of a cybersecurity incident that impacted our network environment. The investigation is ongoing, but we recently determined that an unauthorized individual acquired certain documents from our systems. Those documents are currently under review, and we are working with a third-party technological forensic firm to determine the scope of potential data that may have been involved. We have no current indication that this incident involves client classified or critical security-related information. Once the investigation concludes, we are committed to notifying individuals and entities whose information is involved.”
Confirmation of the REvil attack came after researchers found information posted on their dark web site. Although, the data was reportedly a “company payroll form from September 2020, outing a handful of employees’ names, social security numbers, and quarterly pay. There’s also a company ledger, and a portion of a memo outlining worker training plans.” It’s still very concerning that a military subcontractor didn’t have proper defense against these threat actors.
Understanding threat actor motives and methods is crucial in being able to stop them because no groups attack organizations in the same way. What’s been discovered by researchers in this attack is REvil was repeatedly using passwords to login to RDP. Over five minutes, REvil attempted about 35,000 logins from at least 349 different, unique IP addresses.
From this information, you can tell threat actors are carrying out as many attempts to breach networks as possible. It’s very easy for them to use stolen passwords and try them all in a short amount of time. This is why it is so important to incorporate a team of intelligent security engineers into your company’s investments.
SpearTip’s Security Operations Center is running 24/7 to bolster the defenses of our partners and stop cyber threats. Groups like REvil are obviously very persistent as they have been in the cyber news frequently this year, and other groups’ attacks have had profound real-world effects such as JBS and the Colonial Pipeline. Don’t allow them to intrude on your operations and call SpearTip to upgrade your cybersecurity protection today.
If you think your organization has been breached, call our Security Operations Center at 833.997.7327.