NEW from SophosLabs: No two criminal groups deploy the ransomware-as-a-service (RaaS) REvil, aka Sodinokibi, in exactly the same way.
One of the ransomware-as-a-service (RaaS) we encounter most frequently, known alternately as Sodinokibi or REvil, is as conventional a ransomware as we’ve seen: Its routines, configuration, and behavior what we’ve come to expect from a mature family that’s, obviously, well used in the criminal underground.
Unsurprisingly, Sophos has devoted significant effort to combat this everyday menace. In addition to tamper protection features that prevent a script from disabling endpoint protection features, we use behavioral detection rules that identify the core activities ransomware must engage in, and a feature called CryptoGuard that prevents the ransomware from encrypting data.
As attacks involving RaaS malware, including REvil, increasingly have generated public attention and news coverage, SophosLabs wanted to pull together a common body of our knowledge about the ransomware itself, and the variety we observe in attack methods employed by the criminals who lease the software and handle the break-ins...
