REvil ransomware: how least privilege could have saved Acer

The hits keep on coming from big-ticket ransomware. First Emotet, then Ryuk…. Organizations across the world are under constant threat of data breach or losing their data to criminal groups’ ransom demands. The latest attack to make headlines? REvil. Their victim? Computing giant Acer.

What happened with ACER and REvil Ransomware

REvil first hit the news March 18th when the organization behind the ransomware published images of stolen, or exfiltrated, documents to the dark web, as proof of their hack. Sources from REvil and Acer both confirm the attack. Leaked data appears to include documents such as company financial spreadsheets, bank balances, and bank communications all being held for a record-breaking ransom demand. Acer’s data is being held for the largest-ever ransom, a cool $50 million which the company is expected to deliver by the end of March or face the consequences.

Double Extortion: REvil Ransomware Encryption & Exfiltration

Though it may be breaking records for ransom demands, REvil is following suit with the latest trend in malware. Double extortion is new approach uses not one but two techniques to cause trouble for targeted organizations.

Classic ransomware has an approach that is simple: we gain access to encrypt your data. We demand a ransom and in exchange for payment we give you the key to get your data back. Double extortion ups the ante, not only holding data for ransom, but also threatening to inflict greater financial or reputational damage if the demands are not met.

Industry experts saw a dramatic rise in the number of double extortion attacks in 2020, and expect the number to continue to increase exponentially in 2021.

The REvil ransomware has been around for some time, and has evolved since its first appearance. At first it was leveraging CVE-2018-8453 to gain privileges. More recently however, REvil has adapted to current vulnerabilities. Expert investigations into the REvil attack on Acer suggest that the group may have exploited Microsoft Exchange ProxyLogon vulnerabilities to gain access to Acer’s network. It is highly likely that the recent CVE-2021-26855 and CVE-2021-27065 Exchange vulnerabilities were the vector of attack for REvil’s entry into Acer’s network.

These known vulnerabilities are weak points in a corporate system which leave on-premise Microsoft Exchange Servers exposed. Ransomware like REvil take advantage of these weaknesses to gain access to the IT infrastructure, make lateral moves across the network, and self-elevate privileges to gain access to sensitive systems and data. Without privileges, ransomware cannot achieve their goal to access and encrypt data worth holding for ransom.

Stop Ransomware with Endpoint Privilege Management (EPM)

Securing all corporate endpoints, whether they are employee workstations, industrial IoT machines, servers, or anything else, is critical to protecting organizations from malware and even ransomware like REvil. But often, endpoint security systems are dependent on the latest updates and can only defend against known threats they’ve developed detection methods for. But today’s ransomware are not only constantly evolving, but are too smart to be detected by traditional anti-virus software and thus, modern problems require modern – proactive – solutions.

With successful implementation of the Principle of Least Privilege, REvil would not have gotten very far as the first thing it tries to do is escalate privileges. In fact, it first tries to exploit CVE-2018-8453 (a privilege escalation vulnerability), and if that doesn’t work it then tries other techniques. This is because, before encrypting, it tries to kill applications, system process, and delete backups. It is at this stage that it could have been detected with WALLIX BestSafe.

However, enforcing a Least Privilege model can be complicated without the right solution. WALLIX BestSafe endpoint privilege management makes it simple. With advanced white/black/grey-listing technology and a granular approach to privilege management at the application and process level, even if a ransomware manages to gain entry into an organization’s network, it is immediately neutralized by its inability to elevate privileges, access data, or run encryption processes. Even without a comprehensive Least Privilege model, WALLIX BestSafe enables IT admins to remove privileges from applications even if the users running them are administrator users.

How to stop ransomware

It seems like every other month another major ransomware attack makes headlines. This month is no exception with a record-breaking ransomware attack on Acer, an established and well-known computer company that puts it – and its customers – data at risk. Despite their own statement that they’ve been improving cybersecurity infrastructure, it once again shows the critical importance of prioritizing privileged access security. After all, with an EPM solution like WALLIX BestSafe, REvil would have attempted to run without privileges and failed. All this while the user is still a full administrator with full admin rights.

Ready to protect your organization from malware, ransomware and crypto-viruses?