Abstract maze

Three Steps to Surviving a Maze or Sodinokibi/REvil Ransomware Attack

By Brent Riley, Brandon Catalan

November 19, 2020

Jason Hale contributed to this article.

Ransomware threat groups, like those associated with Maze and Sodinokibi/REvil ransomware, have begun to steal data at an alarming rate. Additionally, ransom amounts are regularly hundreds of thousands or even millions of dollars. Prevention is essential, but preparation in case of an infection is the key to surviving a Maze, Sodinokibi/REvil, or other ransomware attack. Ankura has found that three steps can make the difference between a quick recovery or a lengthy, costly, and disruptive experience: effective backups, functional logging, and incident response planning.


Businesses, government entities, and academic institutions have been recently inundated with ransomware attacks where the threat actors have also stolen data to further extort their victims and ensure higher likelihood of payment. Threat groups associated with two ransomware variants have spearheaded this trend: Maze and Sodinokibi/REvil. When data is stolen, it becomes even more imperative to have prepared appropriately so the extent of the damage can be identified and quickly mitigated. We have identified key network and security decisions that make the difference between a rapid recovery or a highly disruptive experience that is impactful from an operational, financial, reputational, and business operations standpoint. This bulletin will outline these key steps for success in surviving a Maze or Sodinokibi/REvil ransomware attack:

  1. Create and maintain effective backups
  2. Configure functional logging
  3. Implement an incident response plan

Create and Maintain Effective Backups

A study found that in 2020, “while 90% of companies polled were backing up data, only 41% were doing so daily. Additionally, 25% of respondents advised they were storing those backups locally[i]” (Acronis Cyber Protection Week 2020 Survey, 2020). One of the most important elements to an effective Maze or Sodinokibi/REvil recovery is having effective and regularly tested data backups. Effective means that the backups are captured at a frequency that will mitigate data loss to an acceptable level. It also means that the backups are stored in a method and location where they are not likely to be affected by a ransomware attack. Finally, for backups to be effective, they need to facilitate quick and efficient system restoration. Anything less than this standard will increase the risk that recovery from backup is not viable or will prolong the recovery time for the organization.

Configure Functional Logging

Inadequate logging is a consistent challenge seen in the field. Log data has become even more vital with threat groups stealing data because it can be used to assess key metrics such as volume and scope in data access and exfiltration events. Adequate granularity in these metrics can make the difference between broad employee and customer notifications and limiting the exposure to a few or no individuals. While hindsight is 20/20, and prior preparation is best, we understand that sometimes an immediate expert solution is necessary to mitigate an ongoing ransomware attack. Managed detection and response teams assist by providing virtual or hardware-based systems to capture network traffic and endpoint activity. Employing a team of experts to monitor and filter this collected data provides meaningful alerts to thwart possible continued threat activity, that are enhanced through machine learning.

Implement an Incident Response Plan

The lack of an incident response plan is an issue often encountered during incident response evaluations. A study found that “77% of organizations did not have an incident response plan[ii]” (IBM Study: More Than Half of Organizations with Cybersecurity Incident Response Plans Fail to Test Them, 2020). Building an incident response plan is dually important as it serves as a roadmap to recovery and presents an opportunity for a company to simulate a ransomware infection, or any significant and likely cybersecurity event, including the associated impact on operations. An effective incident response plan for ransomware incidents covers staff roles from identification to containment and eradication of a threat, through recovery to a secure state. By defining roles and tasks in advance, team members quickly begin containing the incident and gathering crucial data that the investigation team will need to identify how the threat actor got in and determine the indicators of compromise, so the remediation process can begin. Planning for an attack from an advanced threat group, like those that utilize Maze and Sodinokibi/REvil, can help guide preparations on a macro and micro level.

[i] Kostos, D. (2020, April 02). The Results are In: Cyber Protection Week 2020 Survey. Retrieved November 05, 2020, from https://www.acronis.com/en-us/blog/posts/results-are-cyber-protection-week-2020-survey

[ii] IBM Study: More Than Half of Organizations with Cybersecurity Incident Response Plans Fail to Test Them. (2019). Retrieved November 05, 2020, from https://newsroom.ibm.com/2019-04-11-IBM-Study-More-Than-Half-of-Organizations-with-Cybersecurity-Incident-Response-Plans-Fail-to-Test-Them