Revil (Sodin, REvix) – Malware

Overview

REvil, also known as Sodinokibi, is a notorious ransomware group that has been active since at least 2019. Operating as a Ransomware as a Service (RaaS), REvil provides its sophisticated ransomware software to affiliates who then carry out the actual attacks. This model allows REvil to extend its reach and impact significantly, with the proceeds from ransom payments being shared between the affiliates and the core REvil operators. The group is particularly known for targeting high-profile companies and demanding large ransom payments, often in the millions of dollars. Among their most notable victims have been JBS Foods, an international meat processing company, and Kaseya, a software company whose compromise led to widespread disruption among its clients.

REvil employs a particularly ruthless strategy known as double extortion. In addition to encrypting the victim’s data, they steal sensitive information and threaten to release it publicly if the ransom is not paid. This tactic puts additional pressure on victims, compelling many to comply with the ransom demands to avoid both the loss of their data and the public exposure of their confidential information. To facilitate this extortion, REvil maintains a dark web presence where they publish stolen data from victims who refuse to pay. This site, known as the “Happy Blog,” serves both as a tool for additional coercion and a means to publicly shame their victims.

The technical sophistication of REvil’s ransomware is another hallmark of their operations. Their malware includes advanced features such as the ability to delete shadow copies to prevent data recovery, obfuscation techniques to evade detection, and the use of strong encryption algorithms. These capabilities make their ransomware particularly effective and difficult to counteract. Despite their technological prowess, REvil has faced significant pressure from law enforcement agencies worldwide. There have been arrests of suspected REvil affiliates, and on several occasions, authorities have managed to seize servers and disrupt the group’s operations temporarily.

REvil also has a history of disappearing and rebranding to evade law enforcement. They have periodically gone dark, only to resurface later with new tactics or under different names. This cat-and-mouse game with authorities highlights the ongoing challenges in combating sophisticated cybercrime organizations. The impact of REvil’s attacks on their victims is profound, often resulting in operational disruptions, financial losses, and reputational damage. Their targets span various sectors, including healthcare, technology, and food supply chains, underscoring the widespread threat posed by their activities.

Targets

REvil targets a wide range of industries and sectors, typically focusing on organizations that can afford to pay substantial ransoms and whose operations are critical enough that disruption would cause significant harm. Sectors: Healthcare, Food Supply Chain, Technology and IT Services, Financial Services, Manufacturing, Professional Services, Government and Public Sector, Education.

Attack Vectors

REvil employs multiple attack vectors to gain initial access to victim networks, establish persistence, and deploy their ransomware. These vectors leverage various techniques and tools to exploit vulnerabilities, bypass defenses, and maximize the impact of their attacks. Here are some of the primary attack vectors used by REvil:

Phishing and Social Engineering:

Malicious Emails: REvil often uses phishing emails to trick recipients into clicking on malicious links or downloading infected attachments. These emails are designed to look legitimate and can mimic trusted entities or services.

Spear Phishing: Targeted phishing attacks, or spear phishing, are directed at specific individuals within an organization, often using information gathered from social engineering to increase the likelihood of success.

Exploitation of Vulnerabilities:

Software Vulnerabilities: REvil exploits known vulnerabilities in widely used software to gain access. For example, they have targeted vulnerabilities in Microsoft Exchange, VPN appliances, and other enterprise software.

Zero-Day Exploits: Occasionally, REvil uses zero-day exploits, which are vulnerabilities that are not yet known to the software vendor or the public, making them particularly dangerous and difficult to defend against.

Remote Desktop Protocol (RDP) Attacks:

Brute Force Attacks: REvil uses automated tools to perform brute force attacks on RDP ports, attempting to guess passwords and gain access to systems with weak or default credentials.
Exposed RDP Ports: They scan the internet for systems with exposed RDP ports and use stolen or guessed credentials to log in and establish a foothold in the network.

Third-Party Software and Managed Service Providers (MSPs):

Supply Chain Attacks: REvil targets third-party software providers and MSPs to gain access to multiple clients through a single breach. The attack on Kaseya is a prominent example, where exploiting the VSA software allowed them to infect numerous managed service providers and their clients.

Software Updates: They compromise legitimate software updates to distribute their malware, leveraging the trust that organizations place in these updates.

Credential Theft and Reuse:

Credential Dumping: Once inside a network, REvil uses tools like Mimikatz to steal credentials from compromised systems. These credentials are then used to move laterally within the network.
Password Spraying and Credential Stuffing: They use previously stolen or leaked credentials to access systems. Password spraying involves using a few common passwords against many accounts, while credential stuffing uses large sets of stolen credentials.

Malware and Exploit Kits:

Initial Access Malware: REvil deploys initial access malware to establish a foothold in the network. This malware can open backdoors, disable security measures, and facilitate the deployment of the ransomware payload.

Exploit Kits: They use exploit kits, which are tools that automate the exploitation of vulnerabilities in software to deliver malware.

Living off the Land (LotL) Techniques:

Using Legitimate Tools: REvil often uses legitimate administrative tools and commands to carry out their activities, making detection more difficult. For example, they use PowerShell scripts, Windows Management Instrumentation (WMI), and PsExec to move laterally and execute their ransomware.
Abusing System Features: They exploit features of the operating system, such as the Volume Shadow Copy Service (VSS) to delete backups and increase the impact of their ransomware.

By employing a combination of these attack vectors, REvil can effectively penetrate target networks, spread laterally, and deploy their ransomware, ensuring maximum disruption and increasing the likelihood of ransom payment.

How they operate

REvil’s operation is characterized by its professionalism, use of advanced tools, and psychological manipulation to maximize pressure on victims. REvil operates using a structured and methodical approach that involves multiple stages, from initial access to extortion. Here’s a detailed overview of their operation process:

Initial Access:

Phishing and Social Engineering: REvil often begins with phishing campaigns, sending emails with malicious attachments or links. These emails are designed to appear legitimate, often impersonating trusted entities.
Exploitation of Vulnerabilities: They exploit known vulnerabilities in software and hardware. For instance, they target unpatched systems or use zero-day vulnerabilities. The Kaseya attack is an example where they exploited a vulnerability in the VSA software.

Remote Desktop Protocol (RDP): They gain access through poorly secured RDP, using brute force attacks or stolen credentials to log into the network.

Establishing Foothold:

Dropping Malware: Once they gain access, they drop initial malware, often using tools like Cobalt Strike for reconnaissance and further exploitation.

Persistence: They establish persistence by creating backdoors, ensuring they can maintain access even if detected and initial access points are closed.

Credential Harvesting and Lateral Movement:

Credential Dumping: Using tools like Mimikatz, they extract credentials from the compromised system to escalate privileges and move laterally across the network.

Spreading Malware: They deploy their ransomware payload across multiple systems within the network, using legitimate tools like PowerShell scripts or batch files for automation.

Payload Deployment:

Encrypting Data: The core tool, Sodinokibi ransomware, encrypts files on the victim’s systems using strong encryption algorithms. This renders the data inaccessible without the decryption key.

Deleting Backups: To ensure victims cannot recover their data without paying the ransom, they delete shadow copies and backups using commands like vssadmin delete shadows and disabling backup services.

Exfiltration and Double Extortion:

Data Theft: Before encrypting files, REvil often exfiltrates sensitive data. This data is then used as leverage for double extortion.

Double Extortion: They not only demand a ransom for the decryption key but also threaten to release the stolen data publicly if the ransom is not paid. This increases the pressure on the victims to pay.

Ransom Demands and Negotiation:

Ransom Note: Victims receive a ransom note with instructions on how to pay, usually demanding cryptocurrency like Bitcoin or Monero.

Negotiation: REvil often engages in negotiations, sometimes adjusting the ransom amount based on the victim’s response and ability to pay.

Payment and Decryption:

Receiving Payment: Once the ransom is paid, typically through cryptocurrency transactions, REvil provides the decryption key to restore access to the encrypted data.

Public Data Leak: If the ransom is not paid, they may follow through on their threat to publish the stolen data on their dark web site, the “Happy Blog.”

Operational Security and Evasion:

Obfuscation and Evasion: REvil uses obfuscation techniques to evade detection by security software. They also continuously adapt their tactics to circumvent security measures.

Temporary Disappearances: The group has a history of going dark temporarily to evade law enforcement, only to reappear later under the same or a different name, often with new tactics or improved tools.

Techniques Used (MITRE)

Initial Access

T1566 – Phishing

T1190 – Exploit public-facing application

T1189 – Drive-by compromise

T1195 – Supply chain compromise

T1078 – Valid accounts

Execution

T1106 – Execution through API

T1059 – Command and scripting interpreter

T1129 – Shared modules

T1204 – User execution

Persistence

T1547 – Boot or logon autostart execution

T1574 – Hijack execution flow

Privilege Escalation

T1134 – Access token manipulation

T1068 – Exploitation for privilege escalation

T1574 – Hijack execution flow

Defense Evasion

T1027 – Obfuscated files or information

T1562 – Impair defenses

T1574 – Hijack execution flow

Discovery

T1083 – File and directory discovery

T1018 – Remote system discovery

T1057 – Process discovery

T1082 – System information discovery

T1012 – Query registry

T1063 – Security software discovery

Credential Access

T1003 – OS credential dumping

T1552 – Unsecured credentials

Lateral Movement

T1570 – Lateral tool transfer

Collection

T1560 – Archive collected data

T1005 – Data from local system

Command and Control

T1071 – Application Layer Protocol

Exfiltration

T1567 – Exfiltration over web service

T1048 – Exfiltration over alternative protocol

Impact

T1486 – Data encrypted for impact

T1489 – Service stop

T1490 – Inhibit system recovery

T1529 – System shutdown/reboot

T1491 – Defacement

Variants

Windows

REvil Beta

MD5: bed6fc04aeb785815744706239a1f243

SHA1: 3d0649b5f76dbbff9f86b926afbd18ae028946bf

SHA256: 3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45

* Privilege escalation via CVE-2018-8453 (64-bit only)

* Rerun with RunAs to elevate privileges

* Implements a requirement that if “exp” is set, privilege escalation must be successful for full execution to

occur

* Implements target whitelisting using GetKetboardLayoutList

* Contains debug console logging functionality

* Defines the REvil registry root key as SOFTWARE\!test

* Includes two variable placeholders in the ransom note: UID & KEY

* Terminates processes specified in the “prc” configuration key prior to encryption

* Deletes shadow copies and disables recovery

* Wipes contents of folders specified in the “wfld” configuration key prior to encryption

* Encrypts all non-whitelisted files on fixed drives

* Encrypts all non-whitelisted files on network mapped drives if it is running with System-level privileges or can impersonate the security context of explorer.exe

* Partially implements a background image setting to display a basic “Image text” message

* Sends encrypted system data to a C2 domain via an HTTPS POST request (URI path building is not implemented.)
————————————
REvil 1.00

MD5: 65aa793c000762174b2f86077bdafaea

SHA1: 95a21e764ad0c98ea3d034d293aee5511e7c8457

SHA256: f0c60f62ef9ffc044d0b4aeb8cc26b971236f24a2611cb1be09ff4845c3841bc

* Adds 32-bit implementation of CVE-2018-8453 exploit

* Removes console debug logging

* Changes the REvil registry root key to SOFTWARE\recfg

* Removes the System/Impersonation success requirement for encrypting network mapped drives

* Adds a “wipe” key to the configuration for optional folder wiping

* Fully implements the background image setting and leverages values defined in the “img” configuration key

* Adds an EXT variable placeholder to the ransom note to support UID, KEY, and EXT

* Implements URI path building so encrypted system data is sent to a C2 pseudo-random URL

* Fixes the function that returns the victim’s username so the correct value is placed in the stats JSON data
————————————
REvil 1.01

MD5: 2abff29b4d87f30f011874b6e98959e9

SHA1: 9d1b61b1cba411ee6d4664ba2561fa59cdb0732c

SHA256: a88e2857a2f3922b44247316642f08ba8665185297e3cd958bbd22a83f380feb

* Removes the exp/privilege escalation requirement for full execution and encrypts data regardless of privilege level

* Makes encryption of network mapped drives optional by adding the “-nolan” argument
————————————
REvil 1.02

MD5: 4af953b20f3a1f165e7cf31d6156c035

SHA1: b859de5ffcb90e4ca8e304d81a4f81e8785bb299

SHA256: 89d80016ff4c6600e8dd8cfad1fa6912af4d21c5457b4e9866d1796939b48dc4

* Enhances whitelisting validation by adding inspection of GetUserDefaultUILanguage and GetSystemDefaultUILanguage

* Partially implements “lock file” logic by generating a lock filename based on the first four bytes of the Base64-decoded pk key, appending a .lock file extension, and adding the filename to the list of whitelisted files in the REvil configuration (It does not appear that this value is referenced after it is created and stored in memory. There is no evidence that a lock file is dropped to disk.)

* Enhances folder whitelisting logic that take special considerations if the folder is associated with “program files” directories

* Hard-codes whitelisting of all direct content within the Program Files or Program Files x86 directories

* Hard-codes whitelisting of “sql” subfolders within program files

* Encrypts program files sub-folders that does not contain “sql” in the path

* Compares other folders to the list of whitelisted folders specified in the REvil configuration to determine if they are whitelisted

* Encodes stored strings used for URI building within the binary and decodes them in memory right before use

* Introduces a REvil registry root key “sub_key” registry value containing the attacker’s public key
————————————
REvil 1.03

MD5: 3cae02306a95564b1fff4ea45a7dfc00

SHA1: 0ce2cae5287a64138d273007b34933362901783d

SHA256: 78fa32f179224c46ae81252c841e75ee4e80b57e6b026d0a05bb07d34ec37bbf

* Removes lock file logic that was partially implemented in 1.02

* Leverages WMI to continuously monitor for and kill newly launched processes whose names are listed in the prc configuration key (Previous versions performed this action once.)

* Encodes stored shellcode

* Adds the -path argument:

* Does not wipe folders (even if wipe == true)

* Does not set desktop background

* Does not contact the C2 server (even if net == true)

* Encrypts files in the specified folder and drops the ransom note

* Changes the REvil registry root key to SOFTWARE\QtProject\OrganizationDefaults

* Changes registry key values from –> to:

* sub_key –> pvg

* pk_key –> sxsP

* sk_key –> BDDC8

* 0_key –> f7gVD7

* rnd_ext –> Xu7Nnkd

* stat –> sMMnxpgk
————————————
REvil 1.04

MD5: 6e3efb83299d800edf1624ecbc0665e7

SHA1: 0bd22f204c5373f1a22d9a02c59f69f354a2cc0d

SHA256: 2ca64feaaf5ab6cf96677fbc2bc0e1995b3bc93472d7af884139aa757240e3f6

* Leverages PowerShell and WMI to delete shadow copies if the victim’s operating system is newer than Windows XP (For Windows XP or older, it uses the original command that was executed in all previous REvil versions.)

* Removes the folder wipe capability

* Changes the REvil registry root key to SOFTWARE\GitForWindows

* Changes registry key values from –> to:

* pvg –> QPM

* sxsP –> cMtS

* BDDC8 –> WGg7j

* f7gVD7 –> zbhs8h

* Xu7Nnkd –> H85TP10

* sMMnxpgk –> GCZg2PXD
————————————
REvil v1.05

MD5: cfefcc2edc5c54c74b76e7d1d29e69b2

SHA1: 7423c57db390def08154b77e2b5e043d92d320c7

SHA256: e430479d1ca03a1bc5414e28f6cdbb301939c4c95547492cdbe27b0a123344ea

* Add new ‘arn’ configuration key that contains a boolean true/false value that controls whether or not to implement persistence.

* Implements persistence functionality via registry Run key. Data for value is set to the full path and filename of the currently running executable. The executable is never moved into any ‘working directory’ such as %AppData% or %TEMP% as part of the persistence setup. The Reg Value used is the hardcoded value of ‘lNOWZyAWVv’ :

* SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lNOWZyAWVv

* Before exiting, REvil sets up its malicious executable to be deleted upon reboot by issuing a call to MoveFileExW and setting the destination to NULL and the flags to 4 (MOVEFILE_DELAY_UNTIL_REBOOT). This breaks persistence however as the target executable specified in the Run key will no longer exist once this is done.

* Changes registry key values from –> to:

* QPM –> tgE

* cMtS –> 8K09

* WGg7j –> xMtNc

* zbhs8h –> CTgE4a

* H85TP10 –> oE5bZg0

* GCZg2PXD –> DC408Qp4
————————————
REvil v1.06

MD5: 65ff37973426c09b9ff95f354e62959e

SHA1: b53bc09cfbd292af7b3609734a99d101bd24d77e

SHA256: 0e37d9d0a7441a98119eb1361a0605042c4db0e8369b54ba26e6ba08d9b62f1e

* Updated string decoding function to break existing yara rules. Likely the result of the blog posted by us.

* Modified handling of network file encryption. Now explicitly passes every possible “Scope” constant to the WNetOpenEnum function when looking for files to encrypt. It also changed the ‘Resource Type” from RESOURCETYPE_DISK to RESOURCETYPE_ANY which will now include things like mapped printers.

* Persistence registry value changed from ‘lNOWZyAWVv’ to ‘sNpEShi30R’

* Changes registry key values from –> to:

* tgE –> 73g

* 8K09 –> vTGj

* xMtNc –> Q7PZe

* CTgE4a –> BuCrIp

* oE5bZg0 –> lcZd7OY

* DC408Qp4 –> sLF86MWC
————————————
REvil v1.07

MD5: ea4cae3d6d8150215a4d90593a4c30f2

SHA1: 8dcbcbefaedf5675b170af3fd44db93ad864894e

SHA256: 6a2bd52a5d68a7250d1de481dcce91a32f54824c1c540f0a040d05f757220cd3

TBD

Significant Malware Campaigns

• The notorious REvil gang, best known for extorting $11 million from the meat-processor JBS after a Memorial Day attack, infected thousands of victims in at least 17 countries. (July 2021)
• JBS Admits Paying REvil Ransomware Group $11 Million. (June 2021)
• The coordinated REvil or Sodinokibi ransomware attacks happened in the early morning of August 16, 2019. (September 2019)
• Russian-based REvil launched a ransomware attack that may have impacted hundreds of companies. (July 2021)

References:

• Hackers demand $70 million to end biggest ransomware attack on record
• JBS Admits Paying REvil Ransomware Group $11 Million
• Russia-linked cybercriminal group REvil behind meatpacker JBS attack
• Texas Municipalities Hit by REvil/Sodinokibi Paid No Ransom, Over Half Resume Operations
• REvil ransomware group strikes again with attack on hundreds of companies right before long holiday weekend
• Understanding REvil: REvil Threat Actors May Have Returned (Updated)
• REvil / Sodinokibi: The Crown Prince of Ransomware
• A Detailed Analysis of The Last Version of REvil Ransomware
• REVIL/SODINOKIBI RANSOMWARE
• REVIL DEVELOPMENT ADDS CONFIDENCE ABOUT GOLD SOUTHFIELD REEMERGENCE
• REvil