Symantec Threat Intelligence Experts discoveredthat ransomware REvil (Sodinokibi) operators scanned the network of one of their victims in search of Point of Sale (PoS) servers.
Researchers recall that REvil (aka Sodinokibi) is a malware working on the ransomware-as-a-service, RaaS scheme. REvil specializes in compromising corporate networks with exploits, vulnerable remote access services, spam, and hacking Managed services providers.
Having penetrated the network, REvil develops its attack in the lateral direction, steals information from all available servers and workstations, and only after that encrypts the files.
Symantec experts have now noticed that the group has begun to use the Cobalt Strike pentest toolkit to deploy REvil payloads on victim networks, for example, Cobalt Strike was found in the networks of eight affected companies, and attackers encrypted data from three large companies working in the service, food and health care.
Analysts believe that choosing large and multinational companies, the attackers hope that they will be able to pay a large ransom to restore access to their systems. So, for each affected company, hackers demanded $ 50,000 in Monero cryptocurrency, or $ 100,000 if the ransom is not cured within three days.
Companies working in the service and food industries were ideal targets for attackers, as they are large organizations that can pay a large ransom to decrypt their data. However, a healthcare organization was much smaller and could hardly afford such expenses.
Apparently, hackers also understood this and feared that the victim would not be able to pay for decrypting the files. Therefore, REvil operators scanned the organization’s network in search of PoS systems, trying just in case to find and steal bank card information.
Researchers write that this is not at all like the usual tactics of REvil operators in particular and targeted ransomware attacks in general. It will soon become clear whether this was an unplanned attempt to insure against non-payment of ransom, or else a new trend has emerged among extortionist hack groups, which will soon be picked up by other hackers.