It seems that every week a new ransomware-related headline hits the media, RaaS (ransomware as a service) has become big business and its latest incarnation is REvil. If you are unaware of this menace, REvil (also known as Sodinokibi) made big headlines due to a successful supply chain hack of Kaseya – software used by IT service providers to deliver technology services for hundreds of thousands of customers. The total ransom initially demanded was in excess of $70 million dollars.
So far, Canada appears to have been largely unscathed as this article published in Global News points out: “Canada ‘lucky’ no big hits taken from world’s largest ransomware attack”.
But that doesn't mean Canada is invulnerable...
Background on REvil
You know that a technology has hit the mainstream when there is an acronym for it and RaaS (ransomware as a service) means that any hacker, gang, or thief in the world can take advantage and profit. While back-door hacks and ransomware are the current new story, this group is equally famous for data exfiltration. With a back door into the network, a lot of damage can be done and the two most used tactics are:
- Encrypt the systems
- Steal the data and threaten to publish it – meaning a backup does not solve the problem
How do they get access to a system? They use the same set of tactics used by all hackers but done by a highly professional and criminally well-funded (via ransomware payments) organization
- Send phishing emails and/or stand up fake websites or compromised websites to deliver a payload – often by macro
- Use server-based (or other published vulnerabilities) to constantly probe for back door access
- Supply chain hacks that target software providers around literally ANY of the organization with which you connect or share data
What’s more – today we saw a fun little bit of news coming out earlier this week that there are now Linux versions of the ransomware. Yes, Linux. That fun little operating system that operates NAS devices, IoT devices, peripheral-type devices that don't get maintained well, and...oh yeah...that thing we call the internet.
In short, REvil is not a specific piece of ransomware – they just happen to be an organization that makes some.
What has CIRA seen?
Canada is not immune and neither our cold climate nor sunny disposition can save us.
Starting at the beginning of this month we saw a small but definite up-tick in blocks seen across the networks of customers using the CIRA DNS Firewall. Most of these blocks were indicative of command and control DNS entries – which is a strong indication of possible compromise. However, we do need to note that our view is at the DNS layer, and so queries could be coming from mail server security (and similar). However, in this context, it IT teams should still be doing quick checks on their networks.
There are roughly 1200 domains that are suspected of being C2 ( hardcoded into the malware ) - we are seeing blocks against the lists. They appear to be legitimate sites that may have been compromised. While blocks may be legitimate queries, some patterns look unlikely to be user-generated.