REvil ransomware’s calling, and it’s not good news

The REvil ransomware (AKA Sodinokibi, which operates as a Ransomware as a Service) is adopting some outreach techniques after initial compromise, designed to shame victims into paying up.

Shaming victims into action

Malware authors and social engineers have relied on shame and the threat of exposure for years. Nothing encourages potential victims to pay up like a solid threat. This isn’t something to underestimate or dismiss. It can have very serious consequences, with at least one tragedy involving a suicide linked to common-or-garden ransomware threats. 

These threats are most closely linked to people at home, with sextortion being one of the biggest.

This is where victims are told someone has footage of them watching pornographic material, or engaging in sexual activity. If they don’t pay the Bitcoin ransom, scammers will release the footage to the world at large or even to just friends and family. This threat comes from old passwords taken from password dumps—which have probably long since changed—which could lend some believed credibility to the threat. The Ransomware authors have no footage whatsoever, but it’s a very effective tactic.

From consumer to corporate…

In recent developments, ransomware bought itself a business suit and a nice tie, and it started working its way into corporate. Here, the gimmick was compromising the network, locking up important files and/or servers and demanding cash to release them back to victims.

This quickly became a mess of arguments over paying the ransom, and the world of cyber insurance and whether it would actually insure against these types of attacks. It also led into the concept of ransomware authors ruining their own trust model with broken unlocks or missing decryption keys.

This time it’s personal

Whereas typical ransomware attacks involve encryption of all available files. More recently, attackers have added data exfiltration to their box of tricks, along with threats to leak the stolen data if victims are able to recover from the encryption with the attacker’s help.

A well-worn security notion is that we never know the full story in terms of numbers compromised by attack X or Y. This seems a reasonable assumption; lots of consumer and business victims of cybercrime do not want to publicize it. There may be liability issues they’re trying to keep hidden, or perhaps they don’t want the embarrassment of everyone knowing what happened.

This latest development twists the exfiltration knife a bit harder by using a splash of shame to encourage victims to pay up.

The scammers perform outreach to the media and the victim’s clients. The idea here is to keep heaping pressure on the victims until they relent and pay up. VoIP calls seem to be the method of choice for said outreach, which helps keep callers anonymized.

As noted by Bleeping Computer, similar tactics have been used in the past, but those calls focused on the victims. Threatening to expose a compromised machine or network via journalists or business affiliates is upping the stakes quite a bit.

As with ransomware attacks where there is no guarantee of being given a decryption key after payment, so too is there no guarantee the attackers will play nice afterwards. Regardless of tactics used, the end results are always the same: pay up, or else.

Putting scammers on the do-not-call list

Options may be limited depending on how prepared victims are at the start of a ransomware attack. It may well be that files are unrecoverable, or business operations cease while cleanup takes place.

It could be a huge payout is handed to the attackers, and no files are returned. They may get lucky, with all services restored and no mention outside the four walls of the business affected. It’s simply a lottery, though having said that, there’s a few ways you can even the odds. Stay safe out there, and hopefully you’ll never have to hear a ransomware fan at the other end of a telephone line.

The post REvil ransomware’s calling, and it’s not good news appeared first on Malwarebytes Labs.