REvil Ransomware

Avaddon handed over the decryption keys and retired, Clop ransomware affiliates were arrested, but REvil has remained very active amidst global pressure from law enforcement.

On Tuesday, Grupo Fleury’s website displayed a message explaining they were hit with a cyber attack and systems were not functioning. “Please be advised that our systems are currently unavailable and that we are prioritizing the restoration of services” the alert read. “The causes of this unavailability originated from the attempted external attack on our systems, which are having operations reestablished with all the resources and technical efforts for the rapid standardization of our services.” Through retrieved samples, signs point to REvil being responsible for the attack on Grupo Fleury.

REvil, also known as Sodinokibi, has performed attacks on high-profile organizations such as JBS, the world’s largest meat producer, Sol Oriens, a nuclear weapons contractor, and a Brazilian court system.

REvil usually makes their way into networks through phishing emails with requests to download documents and “enable content”. Once these items are clicked, REvil gains entry into environments to steal data, encrypt files, and then request ransoms. Ransoms are paid to REvil in exchange for the data to be deleted and decryption keys to unlock files on the victim machines.

REvil operators have not slowed their attack frequency during a time where some groups seem to be cowering away in light of increased global pressure. Organizations must remain vigilant in defending threats because even when ransomware attacks as a whole may be on a decline, certain groups, just like REvil, will fill the gap left by defunct groups. If you’re not actively trying to improve your network security, you’ll miss critical vulnerabilities and threat actors will take advantage of them.

SpearTip’s Security Operations Center as a Service (SOCaaS) is functioning 24/7/365 to defend partners’ environments. While you’re asleep or off on the weekend, threat actors are circling vulnerabilities like hawks. Our engineers stop these threats before they can ever infect your machines with the help of our proprietary endpoint detection and response tool, ShadowSpear®. ShadowSpear® blocks malicious ransomware executables from running on your machines and our engineers are watching behind the scenes. The human vision on these activities is crucial for the response to threats and protection of your organization’s most critical asset, data. Our Incident Response capabilities allow us to respond to intrusions in less than 15 minutes, reclaim networks in 6 hours, and completely restore operations in under 36 hours.

SpearTip’s cyber experts continuously monitor environments 24/7 in our US based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have a direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you think your organization has been breached, call our Security Operations Center at 833.997.7327.