REvil Ransomware Attacks on the Rise

Monday, March 22nd, 2021 | , ,

Over the last two weeks, the REvil ransomware group has claimed to have infected nine organization across Africa, Europe, Mexico and the US. The organizations include two law firms, an insurance company, an architectural firm, a construction company and an agricultural co-op, all located in the U.S.; as well as two large international banks (one in Mexico and one in Africa); and a European manufacturer.

The threat group is also known as the Sodinokibi ransomware gang, and is called “Sodin” by eSentire. The malware, first discovered in 2019, has since grown to hit an array of victims, including New York-based celebrity law firm Grubman Shire Meiselas & Sacks, Travelex and Brown-Forman Corp. (the maker behind Jack Daniels).

Researchers say that Revile cybercriminals posted documents on underground forums that they claim to be from the victims’ systems – including company computer file directories, partial customer lists, customer quotes and copies of contracts. Researchers said they also posted what appears to be several official IDs, either belonging to an employee or a customer of the victim companies.

While researchers are unable to completely verify that the group’s claims are accurate, they were able to review many of the “leaked” documents and they appear to be legitimate. For one, the documents appear to relate to the business of each victim, they said. The documents also include dated timestamps that show that the attacks may have occurred not too long ago.

For one of the victims – the manufacturing company – researchers found news reports that the manufacturer had been hit by ransomware and had to stop production for a day or two. Researchers said they have seen REvil expanding its extortion tricks tactics and procedures (TTPs) to now contact victims’ business associates and the media, in order to put on the maximum amount of pressure on the victim to pay.

They noted that in the last couple days, the threat group also appears to be updating its website to make it easier to browse their victim list.

Further Reading:

Share this: