Researchers with Symantec’s Threat Intelligence team observed REvil ransomware operators in the act of scanning one of their victim’s network Point of Sale (PoS) servers.
REvil (also known as Sodinokibi) is a Ransomware-as-a-Service (RaaS) operation known to breach corporate networks using exploits, exposed remote desktop services, spam and hacked Managed Service Providers.
After accessing the network of a target, the operators laterally spread while also stealing data from servers and workstations, later encrypting all machines on the network after having gained administrative access to a domain controller.
The REvil affiliates used the off-the-shelf Cobalt Attack penetration testing toolkit as part of the campaign observed by Symantec to deploy REvil (aka Sodinokibi) ransomware payloads on networks of their targets.
Ransom doubled within three hours
In total, the researchers found Cobalt Strike on the networks of eight companies that were targeted in this operation, with the REvil ransomware infecting and encrypting three companies from the retail, food and healthcare sectors.
“The companies targeted in this campaign were primarily large, even multinational, companies, which were likely targeted because the attackers believed they would be willing to pay a large ransom to recover access to their systems,” Symantec explained.
Each of the victims was asked to pay Monero’s cryptocurrency worth $50,000, or $100,000 if a three-hour deadline expired.
Scanning PoS systems
While the utilities and food corporations were the ideal targets because big entities were willing to pay a huge ransom to unlock their networks, the smaller healthcare org was a smaller company that couldn’t afford the ransom.
In this case, probably prompted by the fact that there was a high possibility that the victim won’t be able to pay for their “decryptor,” the REvil operators also scanned the healthcare organization’s network for PoS systems as part of a credit card data theft attempt or as an additional valuable target worth encrypting.
“While many of the elements of this attack are ‘typical’ tactics seen in previous attacks using Sodinokibi, the scanning of victim systems for PoS software is interesting, as this is not typically something you see happening alongside targeted ransomware attacks,” Symantec concluded.
“It will be interesting to see if this was just opportunistic activity in this campaign, or if it is set to be a new tactic adopted by targeted ransomware gangs.”
REvil ransomware also released an auction platform earlier this month for selling the stolen data from their victims to the highest bidder.