REvil ransomware uses six vulnerabilities to target its victims. If these had been remediated and patched on priority, JBS—the world’s largest meatpacker—could have escaped this attack.

Securin warned about these vulnerabilities in its Ransomware Spotlight Report published in February 2021.

On May 30, 2021, JBS, the world’s largest meat producer, fell victim to a REvil ransomware attack forcing the company to shut down its operations in the US, Canada, and Australia. This disruption to the food and meat industry halted cattle slaughter and resulted in increased meat prices during the Memorial Day weekend in the US. It also stopped beef production in Canada and Australia, and it took around a week to restore operations.

Sources indicate that an APT group named Pinchy Spider (from Russia) might be behind this attack.

We know that attackers are going after critical sectors such as food, manufacturing, energy, and oil & gas to create the maximum disruption and collect millions of dollars as ransom. Colonial Pipeline paid over $5 million to its attackers to restore the gasoline supply. CNA Financial paid a whopping $40 million one of the largest ransomware payments to date. The FBI recovered $2.3 millionabout half of the ransom paid by Colonial Pipelineafter gaining access to the bitcoin account where the money was deposited. Most recently, JBS paid an $11 million ransom to attackers to protect its customers and resume operations.

Most ransomware gangs like REvil are going after organizations whose supply chain, if affected, can cause widespread panic and chaos.

REvil has so far attacked the Telecom website of Sri Lanka, Fujifilm in Japan, and Sol Oriens, a nuclear weapons subcontractor to the US Department of Energy, just in the month of May 2021, and it will continue to go after critical entities that would not hesitate to pay the ransom. The latest in the spate of attacks by REvil is a cyberattack on Invenergy, a renewable energy company based in the US, and on Grupo Fleury, the largest medical diagnostics company in Brazil. A $5 million ransom has been supposedly demanded in the latter.

Securin’s analysts delved deep into the vulnerabilities the group goes after and provide actionable insights that would help organizations stay safe from these types of attacks.

All about REvil

REvil ransomware gangs typically target six vulnerabilities, and incidentally, all of them are featured in Securin’s Ransomware report published in February 2021.


Securin also called out two of these vulnerabilities in 2020 as part of its reports on the Cyber Risk in Virtual Private Networks (VPNs) and Remote desktops.

Vulnerabilities exploited by REvil ransomware


REvil Cheat Sheet

Here are a few quick facts about these vulnerabilities:

  • REvil typically targets its victims through software vulnerabilities, Remote Desktop Protocol (RDP) sessions, and phishing.

  • Out of the six vulnerabilities in the list, five are Remote Code Execution (RCE), and the sixth CVE-2018-8453 enables Privilege Escalation (PE).

  • CVE-2012-0507, CVE-2013-0074, CVE-2018-8453, and CVE-2019-2725 are found in Microsoft and Oracle products such as Windows, JRE, etc.

  • CVE-2019-19781a Citrix vulnerabilityis a favorite of ransomware gangs and is exploited the most. To date, this vulnerability is found to be associated with at least ten ransomware families apart from REvil.

An excerpt from Securin’s Cyber Risk in Remote Desktop report published in June 2020

  • CVE-2019-11510, a Pulse Secure vulnerability, is yet another favorite of ransomware gangs as it creates a pivot through the VPN endpoint, allowing for easy access to internal systems. This vulnerability is associated with five ransomware families.

An excerpt from Cyber Risk in VPNs published in May 2020

  • Our analysts have found that all six vulnerabilities have been trending in the past few months in hacker channels and the dark web.

  • The REvil ransomware is associated with a Russian APT group named Pinchy Spider and an uncategorized group called UNC2628.

  • Sectors and industries that REvil typically targets include manufacturing, telecommunications, information technology, law, computer hardware, tourism, pharmaceuticals and biotechnology, banking, insurance, agriculture, construction, education, healthcare, media and entertainment, finance, food and beverage, hospitals, and e-commerce.

  • CWEs that enabled these vulnerabilities are CWE-404, CWE-22, CWE-74, CWE-399, and CWE-119.



T1027 – Obfuscated Files or Information

T1036 – Masquerading

T1054 – Indicator Blocking

T1059 – Command and Scripting Interpreter

T1076 – Remote Desktop Protocol

T1133 – External Remote Services

T1189 – Drive-by Compromise

T1190 – Exploit Public-Facing Application

T1193 – Spearphishing Attachment

T1195 – Supply Chain Compromise

T1486 – Data Encrypted for Impact

T1490 – Inhibit System Recovery






Global Exposure Analysis

The exposure to CVE-2012-0507 outnumbers the other two CVEs with over 600,000 products with the vulnerability being used around the world.

CVE-2019-11510 (Pulse Secure Vulnerability)
CVE-2019-19781 (Citrix Vulnerability)
CVE-2012-0507 (SUN & Oracle)

The Way Forward

Our research shows that there has been a 17% increase in the number of vulnerabilities associated with ransomware and a 6.5% increase in the number of trending exploits. To date, 260 vulnerabilities have been associated with ransomware.

With ransomware targeting critical sectors and industries, organizations and governments should adopt a risk-based approach to prioritize vulnerabilities based on weaponization and threat associations.

Securin’s in-depth research has helped many organizations become resilient against ransomware. Our recommendation to organizations is to get a Ransomware Assessment to know the gaps, understand the exposure to ransomware, and become resilient.


Share This Post On