The (R)Evil Within

Janus Agcaoili

Trend Micro

Abstract:

In the past few months, the REvil ransomware (aka Sodinokibi) made many headlines. First, it updated its behavior to include safeboot routines and declared a ban against targeting critical US infrastructure after the DarkSide fiasco. After US intervention during its attack on JBS, REvil then proceeded to launch attacks on Quanta and Kaseya, thus retracting their previous statement about a ban. These attacks were followed by the ransomware’s sudden disappearance and silence after their network infrastructure was shut down without warning.

In this talk, we will present our data on the REvil ransomware’s recent attacks, from its updated routine to our findings on its attack patterns and tools that it used to accomplish its routines. This presentation will delve into our investigation of the various ways that the REvil ransomware can intrude into a system, how it lurks to do reconnaissance, move laterally, and disable security measures. We will also explore and discuss its underground activities before its alleged shutdown when its infrastructure went offline, as well as what this sudden disappearance entails for REvil’s victims and affiliates alike. Lastly, we elaborate on the best practices and general preventive measures to take against REvil attacks and what we can expect from these events. Is REvil finally out, or is this just the calm before the storm where REvil still lurks