{
	"id": "9c54785b-05a3-42e9-8270-df4612544144",
	"created_at": "2026-04-06T00:13:21.023323Z",
	"updated_at": "2026-04-10T03:20:22.645887Z",
	"deleted_at": null,
	"sha1_hash": "dcb9bd32f83ac667def20bba49584c1f0c878dec",
	"title": "Elastic Security prevents 100% of REvil ransomware samples",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 168838,
	"plain_text": "Elastic Security prevents 100% of REvil ransomware samples\r\nBy ByJamie Butler\r\nPublished: 2021-07-07 · Archived: 2026-04-05 22:48:25 UTC\r\nUsers of Elastic Security are protected through numerous layers of protections against the REvil ransomware that\r\naffected Kaseya VSA and its customers. Elastic Security’s layered protections prevented 100% of the REvil\r\nransomware samples tested before damage and loss could occur to the business.\r\nWe believe that detections and preventions must be layered, as no single protection works 100% of the time. There\r\nare times where detection in the SIEM/central analytics layer is the most effective, especially when you need to\r\ntake signals from multiple places or correlate the activity to determine it is malicious. However, the most effective\r\nway to stop an attack is at the host. \r\nPrevention is paramount when it comes to ransomware. Teams cannot wait to be notified of an issue after their\r\ndata is encrypted. Layering in the context of multiple signals from anomalous logins to unusual processes can also\r\nbe telling during the early stages of a breach and help identify root cause. It is the combination of Elastic\r\nSecurity’s SIEM, Endpoint Security, and XDR capabilities in a single solution built for limitless analysis that can\r\nprotect your organization from damage and loss. \r\nBackground on Kaseya VSA supply-chain ransomware attack\r\nOn July 2, 2021, many internet sites and social media posts began warning about a ransomware attack targeting\r\nKaseya and its customers and their customers — a supply chain attack. Kaseya bills itself as an IT management\r\nplatform for IT teams and MSPs (Managed Security Providers). We have seen this type of attack in the past. The\r\ncurrent attack compromised between 800 and 1500 victims.\r\nPerhaps the worst part of the attack is that many of the victims are small businesses that were infected because\r\ntheir MSP or IT used Kaseya. The threat actors demanded $70M from Kaseya, which would be one of the largest\r\nsingle ransomware payouts. While this attack is alarming and perhaps unprecedented, Elastic Security has many\r\npreventions and ways to detect this attack.\r\nLayers of defense\r\nhttps://www.elastic.co/blog/elastic-security-prevents-100-percent-of-revil-ransomware-samples?utm_content=\u0026utm_medium=social\u0026utm_source=twitter\r\nPage 1 of 4\n\nMalwareScore\r\nThe first layer of defense the attack hit is Elastic’s signatureless malware prevention model, called MalwareScore.\r\nThis extremely compact and efficient model allows Elastic Security to stop previously unknown attacks\r\nleveraging the power of machine learning using an algorithm called gradient boosted decision trees. We tested all\r\nknown samples (Appendix A) and our malware prevention stopped 64.29%. It is important to note that this\r\ndefense is pre-execution, stopping this attack before any attacker code can run on the system. \r\nAll Elastic Security users and Elastic Endgame users were protected by MalwareScore since model version\r\n4.0.4000 released in March 2021.\r\nBehavioral ransomware prevention\r\nElastic also constantly monitors the file system for potential signs of ransomware activity with behavioral\r\nransomware prevention. This protection, which builds off of the lessons learned from the original Elastic Endgame\r\nimplementation and has been available since the 7.12 release of Elastic Security, is an added layer of heuristic\r\nprotection to stop any ransomware attack at runtime which MalwareScore may have missed. When we tested the\r\nfourteen REvil samples referenced in Appendix A, this protection had a prevention rate of 100%. Users of\r\nElastic Security have been protected by behavioral ransomware prevention against these samples since the 7.12\r\nrelease, while Elastic Endgame users have been protected since July 2020.\r\nAll Elastic Security users have been protected by behavioral ransomware since 7.12 released in March 2021.\r\nAll Elastic Endgame users were protected from July of last year (2020).\r\nhttps://www.elastic.co/blog/elastic-security-prevents-100-percent-of-revil-ransomware-samples?utm_content=\u0026utm_medium=social\u0026utm_source=twitter\r\nPage 2 of 4\n\nSecurity analytics\r\nElastic Security provides free and open threat detection capabilities as well that help address techniques used by\r\nthe REvil criminal ransomware group, and which are developed in public with the community. Using information\r\ndisclosed by multiple organizations as well as Elastic’s own telemetry visibility, the following rules and machine-learning jobs may help those affected by this threat:\r\nDisabling Windows Defender Security Settings via PowerShell - During initial access, REvil operators used\r\nPowerShell to disable several critical security settings in Defender and which pertain to malware detection\r\nEnable Host Network Discovery via Netsh - REvil operators used the built-in Network Shell utility to enable local\r\nnetwork discovery, subverting the Windows Firewall\r\nEncoding or Decoding Files via CertUtil - REvil operators renamed the Windows CertUtil.exe application, which\r\nwas then used to decode their ransomware payload\r\nPotential DLL SideLoading via Microsoft Antimalware Service Executable - REvil operators deployed a\r\ndeprecated version of Microsoft Windows Defender which was vulnerable to DLL side-loading, and which\r\nprovided a mechanism to execute their decoded ransomware payload\r\nUnusual Process for a Windows Host - REvil operators used existing utilities to disable Windows Defender,\r\ndecode ransomware or enable network discovery; in environments where those utilities are rarely used, this\r\nmachine learning job may generically identify these behaviors\r\nMore is on the way\r\nJust because something is blocked today does not mean we can stop innovating on protections. Numerous soon-to-be-released protections also stopped this attack at the host. These protections, currently in diagnostic mode, were\r\ntested against the known samples.\r\nTo improve our chances of rapidly catching anomalous file modification behavior patterns typically indicative of\r\nransomware, we have incorporated canary files into our suite of layered protections. Elastic Security is optimized\r\nto immediately detect suspicious modifications to these specially crafted files, which are placed throughout the\r\nfile system in various locations which increase the odds that they are targeted at the onset of a ransomware\r\ninfection.\r\nWhen paired with our core behavioral ransomware prevention feature, canary files provide an effective means for\r\nreducing our mean time to detect post-execution ransomware and minimize potential adverse effects to the file\r\nsystem. When detonated in our testing environment, 100% of the REvil ransomware samples relating to this attack\r\nwere detected by modifications to canary files.\r\nElastic’s commitment to your business\r\nOur mission at Elastic Security is to protect the world’s data from attack. We are constantly innovating in the\r\nprotection space to ensure our users across the world are protected from tomorrow’s attacks. The solution delivers\r\nhttps://www.elastic.co/blog/elastic-security-prevents-100-percent-of-revil-ransomware-samples?utm_content=\u0026utm_medium=social\u0026utm_source=twitter\r\nPage 3 of 4\n\nfree and open capabilities of SIEM, Endpoint Security, and XDR on a single platform built for limitless analysis,\r\nenabling organizations to prevent, detect, and respond before damage is done.\r\nIf you’re new to Elastic Security, you can experience our latest version on Elasticsearch Service on Elastic Cloud\r\nfor free.\r\nAppendix A\r\nBelow are the file hashes of the known samples of the Kaseya VSA supply-chain ransomware attack:\r\nd55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e\r\ne2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2\r\n8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd\r\n36a71c6ac77db619e18f701be47d79306459ff1550b0c92da47b8c46e2ec0752\r\n33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a\r\ndf2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e\r\ndc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f\r\nd8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20\r\nd5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f\r\ncc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6\r\naae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7\r\n66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8\r\n0496ca57e387b10dfdac809de8a4e039f68e8d66535d5d19ec76d39f7d0a4402\r\n81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471\r\n8e846ed965bbc0270a6f58c5818e039ef2fb78def4d2bf82348ca786ea0cea4f\r\n1fe9b489c25bb23b04d9996e8107671edee69bd6f6def2fe7ece38a0fb35f98e\r\nCredit for hashes: Cado Security, Sophos, TruSec, Florian Roth, and DoublePulsar\r\nSource: https://www.elastic.co/blog/elastic-security-prevents-100-percent-of-revil-ransomware-samples?utm_content=\u0026utm_medium=social\u0026\r\nutm_source=twitter\r\nhttps://www.elastic.co/blog/elastic-security-prevents-100-percent-of-revil-ransomware-samples?utm_content=\u0026utm_medium=social\u0026utm_source=twitter\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.elastic.co/blog/elastic-security-prevents-100-percent-of-revil-ransomware-samples?utm_content=\u0026utm_medium=social\u0026utm_source=twitter"
	],
	"report_names": [
		"elastic-security-prevents-100-percent-of-revil-ransomware-samples?utm_content=\u0026utm_medium=social\u0026utm_source=twitter"
	],
	"threat_actors": [],
	"ts_created_at": 1775434401,
	"ts_updated_at": 1775791222,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dcb9bd32f83ac667def20bba49584c1f0c878dec.pdf",
		"text": "https://archive.orkl.eu/dcb9bd32f83ac667def20bba49584c1f0c878dec.txt",
		"img": "https://archive.orkl.eu/dcb9bd32f83ac667def20bba49584c1f0c878dec.jpg"
	}
}