Authored by: Denis Legezo, senior security researcher, Kasperky’s Global Research and Analysis Team
What is REvil?
The REvil (also known as Sodin or Sodinokibi) ransomware has been known since 2019 and it can both encrypt data and steal it. It is distributed on specialised forums "by subscription" (ransomware-as-a-service). Thus, two groups of attackers are involved in the attack: the first finds a breach in the protection of the organisation and injects REvil there and the second creates the malware. After encryption or data theft, a ransom is demanded from the victim. And if successful, it is divided between these groups.
An interesting feature is that the malware does not start if certain languages are detected when checking the system language and existing keyboard layouts (this is a large set of dozens of layouts), including Russian.
How real is the threat made by the actors?
The threat is real and this is not the first high-profile incident that uses this malware.
What should Apple do in this situation? And how can they protect themselves if contractors are so easily hacked?
Unfortunately, purely technical protection measures are not enough - the contractor's protection perimeter is under their jurisdiction. Manufacturers are left to impose strict information security requirements for their suppliers, as well as, for example, impose legal sanctions for such violations.
How can information security services help in this case? Is the main task of information security teams to prevent such attacks?
The main task is to prevent the occurrence of such attacks in the future. In the aftermath of such attacks, it is important to conduct a comprehensive investigation of the incident, draw conclusions about the current vulnerabilities, and fix them (remove excessive use of RDP, especially without a VPN, and reduce the attack surface). Also, in our opinion, it is important to put in place effective monitoring, and to have an action plan in case such attacks occur.
Is this attack unique? How do you think it may affect the info security world?
Targeted ransomware attacks on large companies have become quite common, especially over the past few years. One specific attack, even on an organisation known worldwide, will not change the way things are operated. But we hope that the reaction to this trend will include the introduction of information security events monitoring; complex cybersecurity systems, including for proactive detection of attacks; and enhanced training of employees around cybersecurity rules.