The return of REvil: Increased ransomware attempts on Remote Management tool

By Aaron Londsdale, VCG Security Manager

A recent surge in ransomware attempts is thought to be linked to the re-emergence of the notorious Russian hacking group, REvil, in the wake of the Russia-Ukraine war. Attacks by the group appear to be exploiting vulnerabilities in third-party RMM tools to gain access to business networks through the Windows BCDEdit command, which is a cause for concern for businesses across all industries because of how indiscriminate it is.

To explain to our customers what they can do to protect against this time of RMM-enabled ransomware attack, we listed some of the key questions describing this below. Here are the key things you should know.

What is REvil ransomware?

REvil is a Russian ransomware-as-a-service operation, known for targeting third-party software providers in order to launch larger-scale attacks on their customers. In its recent ransomware attempts, REvil has been targeting remote management and monitoring tools that are compatible with Windows solutions, with a view to altering the boot process of individual machines and gain access to business networks.

The group runs a sophisticated operation that has previously had devastating consequences for businesses around the world.

In July 2021, REvil launched an attack on software provider Kayesa’s remote management tool, which was being used by 35,000 customers, and pushed out a malicious software update that allowed them to hold business data hostage. Among those affected were public administrators, local governments, schools, hospitals, and thousands of small and medium businesses, including Swedish supermarket chain Coop, which was forced to close almost half its 800 stores when self-checkouts and tills stopped working. REvil demanded a $70 million ransom payout for a universal decryption key.

What are RMM tools?

Remote monitoring and management tools are pieces of software designed to allow computers or networks to be managed from a remote location. Whenever a business outsources its IT support, RMM tools are installed on devices in the network to give the IT service provider visibility of and control over individual computers and entire infrastructures. This allows them to make upgrades, carry out fixes and ensure optimal network stability, all from a remote location.

What is BCDedit?

BCDEdit is the primary command-line tool for modifying the boot configuration of Windows. By exploiting vulnerabilities in the RMM tool, attackers can gain access to the BCDEdit program and issue specific commands to boot a machine into ‘safe mode with networking’, a feature of many RMM tools. In the current attacks, REvil is using this method to change the operating system so it doesn’t use two-factor authentication.

How can you manage your business’s security estate to prevent ransomware attacks through BCDedit?

The best thing your business can do to protect against this type of potentially catastrophic attack is to make sure you have a layered defence.

At VCG, we offer a range of solutions to protect your network at every threat layer, from endpoint protection and managed firewalls to application security.

Our managed threat detection is a business-wide solution designed to help deliver ultimate cyber resilience around the clock, detecting, recognising and reacting to threats before they can cause any damage.

Learn more about VCG’s managed threat detection solutions.