The Security Operations Center at Net Friends regularly assesses various forms of malicious software and known attack methods. This helps improve their detection skills and improve defensive and response measures. One of our company values is Sharing Knowledge, which is why an explainer like this will help other small and mid-sized businesses design their own strategies to protect against, and respond to, ransomware like REvil.
What is REvil?
The security vendor Cybereason describes REvil (aka Sodinokibi) as “the Crown Prince of Ransomware.”
REvil will make its way into your network via these primary delivery methods:
- Via email attachment
- In a Microsoft Word document
- As a website link
- Through a compromised workstation management agent (remember the Solarwinds attack?)
How to Prevent Attacks?
A successful prevention strategy must address all possible known vectors for the malware. Net Friends recommends a “defense in depth” strategy of multiple overlapping systems to protect against REvil.
For example, a defense in depth strategy should include:
- Email security policy enhancements
- Security software that scans all attachments and embedded links
- DNS records, such as DKIM, that enhance email security
- Regular security training
Unfortunately, attackers keep innovating and finding new schemes to thwart preventive measures. What’s more, when your preventive measures fail, your organization must be ready to act to contain the malicious code within seconds. As a ransomware attack begins delivering its malicious payload, it will spread faster than humans can react. By the time a security analyst is investigating a suspicious log entry, REvil has already compromised multiple systems and is trying to exfiltrate data.
The only effective response strategy is automation. Network administrators must automate the process of detecting suspicious activity, matching it to a known attack pattern, and isolating the compromised systems or applications. This strategy is known as MDR: Managed Detection and Response.
How Can MDR Block REvil?
Companies using Managed Detection and Response to block REvil should look at four main tactics:
- Configure policies on firewalls that watch for IoCs (Indicators of Compromise) that signal when a NAME infection is in progress. For example, at the time of writing, Net Friends is tracking more than 64 IoCs related to REvil. If the firewall detects an IoC, it should shut the connection down, preventing REvil from contacting its “command and control” servers.
- Deploy EDR (Endpoint Detection & Response) agents on laptops and desktops. These agents continually look for suspicious patterns of computer activity that are the indirect evidence of infection by a new variant of REvil. If such a pattern is detected, isolate that endpoint from the network until your Security Operations Center can investigate.
- Coordinate tactics 1 and 2 using SOAR tools (Security Orchestration, Automation, and Response) that are integrated into your network. Your SOAR platform should incorporate the latest updates on REvil gathered from sources like MITRE ATT&CK and Palo Alto’s Threat Brief.
- Develop “playbooks” for a potential REvil attack to improve your response time and effectiveness. Verify your playbooks using Breach and Attack Simulation (BAS) software.
What’s the Next Step?
If you want more information on MDR, or are considering ways to implement MDR as part of your broader security strategy, please contact Net Friends. When you enroll in MDR services with Net Friends, you can trust that no matter how an attack begins on your network, it will be stopped on our watch with unmatched speed and thoroughness. Our team of security analysts and experts, along with our top-tier tools and playbooks, are the most important protection your business needs to keep your data and reputation safe.