It seems that every week a new ransomware-related headline hits the media, RaaS (ransomware as a service) has become big business and its latest incarnation is REvil. If you are unaware of this menace, REvil (also known as Sodinokibi) made big headlines due to a successful supply chain hack of Kaseya – software used by IT service providers to deliver technology services for hundreds of thousands of customers. The total ransom initially demanded was in excess of $70 million dollars.
So far, Canada appears to have been largely unscathed as this article published in Global News points out: “Canada ‘lucky’ no big hits taken from world’s largest ransomware attack”.
But that doesn’t mean Canada is invulnerable…
Background on REvil
You know that a technology has hit the mainstream when there is an acronym for it and RaaS (ransomware as a service) means that any hacker, gang, or thief in the world can take advantage and profit. While back-door hacks and ransomware are the current new story, this group is equally famous for data exfiltration. With a back door into the network, a lot of damage can be done and the two most used tactics are:
- Encrypt the systems
- Steal the data and threaten to publish it – meaning a backup does not solve the problem
How do they get access to a system? They use the same set of tactics used by all hackers but done by a highly professional and criminally well-funded (via ransomware payments) organization
- Send phishing emails and/or stand up fake websites or compromised websites to deliver a payload – often by macro
- Use server-based (or other published vulnerabilities) to constantly probe for back door access
- Supply chain hacks that target software providers around literally ANY of the organization with which you connect or share data
What’s more – today we saw a fun little bit of news coming out earlier this week that there are now Linux versions of the ransomware. Yes, Linux. That fun little operating system that operates NAS devices, IoT devices, peripheral-type devices that don’t get maintained well, and…oh yeah…that thing we call the internet.
In short, REvil is not a specific piece of ransomware – they just happen to be an organization that makes some.
What has CIRA seen?
Canada is not immune and neither our cold climate nor sunny disposition can save us.
Starting at the beginning of this month we saw a small but definite up-tick in blocks seen across the networks of customers using the CIRA DNS Firewall. Most of these blocks were indicative of command and control DNS entries – which is a strong indication of possible compromise. However, we do need to note that our view is at the DNS layer, and so queries could be coming from mail server security (and similar). However, in this context, it IT teams should still be doing quick checks on their networks.
There are roughly 1200 domains that are suspected of being C2 ( hardcoded into the malware ) – we are seeing blocks against the lists. They appear to be legitimate sites that may have been compromised. While blocks may be legitimate queries, some patterns look unlikely to be user-generated.
Moreover, we have seen various .CA website properties that have been implicated in the command and control of REvil malware – something which is traditionally quite rare. In short, you aren’t just looking for pseudo-random subdomains or something from a foreign country or risky gTLD.
What to do about it
Defence-in-depth is always the recommended solution for mitigating risk. Simply put, ensuring lots of appropriate layers of cybersecurity are in place. In today’s world that even includes a good analysis of who is supplying your company with software or SAAS. If one of your IT suppliers (no matter how small) is compromised by this, then you might be.
The second very important activity is to ensure all systems are patched and that you have a formal policy for doing so. Nobody can save you from poor IT management practices.
If you need remote access or end-users with admin control, make sure that the right MFA and SSO are enabled and that systems and networks are appropriately sequestered.
Finally, monitor what is happening on your servers. Since this group is notorious for infiltration and activity on the network before executing the attack then good monitoring can help to spot problems.
CIRA has two services that work together to help mitigate risk and can provide such depth:
CIRA DNS Firewall – block users from downloading malicious content. Block command and control of some malware that uses the DNS.
CIRA Cybersecurity Awareness Training – Help educate users to avoid risky behavior and avoid falling for traps.
Conclusion – this is not your average everyday event
This is just the latest in a never-ending string of malware problems but also indicative of a very high degree of sophistication versus the spray-and-pray tactics that are used to do simple ransomware distribution. Our data shows that Canadian organizations are at risk and need to follow best practices to mitigate it. And time is of the essence, the threat actors are reported to initiate encryption of files from 7-30 days of gaining access to the system.
Rob brings over 20 years of experience in the technology industry writing, presenting and blogging on subjects as varied as software development tools, silicon reverse engineering, cyber-security and the DNS. An avid product marketer who takes the time to speak to IT professionals with the information and details they need for their jobs.
