Threat Watch

REvil Ransomware Begins Scanning for Point Of Sale Devices

REvil, also called Sodinokibi, is a family of ransomware that has cost victims upwards of a million dollars in past infections. Recently, REvil has evolved with a new technique that allows them to scan compromised networks in order to identify Point of Sale (POS) devices that they can spread to. POS terminals are typically targeted by cyber threat groups in order to steal payment card information from customer transactions. Credit and debit card records can be sold on criminal underground marketplaces and used to produce duplicate cards that are used for fraudulent purchases. This evolution in tactics could bring in more information and revenue to REvil’s operation.

ANALYST NOTES

The threat actors behind REvil might be targeting POS terminals simply to encrypt and lock the computers that will be most costly for businesses to do without, but the more likely explanation is that REvil intends to steal payment card transaction details to sell for additional profit. Another possibility is that REvil will threaten victims with releasing stolen card data if a ransom isn’t paid, but victims should rightly assume that the card numbers will probably be sold whether they pay or not. Because REvil spreads through networks using already patched vulnerabilities, including EternalBlue, Binary Defense recommends patching internal and public-facing systems. However, as a stronger defense, Binary Defense also recommends using 24/7 monitoring or management of Endpoint Detection and Response (EDR) solutions, as these infections are almost never sudden and unexpected. Additionally, Binary Defense recommends using the 3-2-1 backup solution in order to aid in recovery from a ransomware attack:
• Three forms of backups
• Two types of physical backups
• One backup stored offsite