BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
33
Global rank
30 infographic chevron month
Month rank
38 infographic chevron week
Week rank
216
IOCs

REvil, also called Sodinokibi, is a notorious ransomware strain known for its use of sophisticated encryption techniques, high-profile targeted attacks, and connections to GandCrab.

Ransomware
Type
ex-USSR
Origin
1 April, 2019
First seen
22 May, 2024
Last seen
Also known as
Sodinokibi
Sodin

How to analyze REvil with ANY.RUN

Type
ex-USSR
Origin
1 April, 2019
First seen
22 May, 2024
Last seen

IOCs

Hashes
74ce1be7fe32869dbbfe599d7992c306a7ee693eb517924135975daa64a3a92f
1a0ad8c18bef043ce1d8e8c1094ddbb08ae8d8ec7c0cf633ffe7a213f6929a5e
8b7e39a325e6c6cec05fa9ddc8d75f09192e27a22790cf57d56bac289f9bdafd
2df2fab33c1db5b049284a6bd5aa1f58bec4cb370b0663870b6a57ef33b5028c
6ff970f1502347acd2d00e7746e40fba48995abbe26271d13102753c55694078
36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd
87219b4b2c64a53589d1b1ea5faa037c7666bf2e4b2995fea9436263ce1f910d
139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548
9793e0ba85d2b0c14960b6cc506fe2aecb952795e167d504e2701b4dd399dbb6
0b0b2fdff74516db18bb37a91372792e0887c8730f4f7f44b3d880f79699a0a1
cf04bd11d61e4ebe13a8f898f2bebd828d2ffb7f248b0b166f2ad6e753efcb74
6eb8e811ba663ffee249a3debc32646070d3662c34cc99a5f580c750c46c71ed
d04c7efff113ea3b882beffee52c3a3e41ce6a204440e708f4a4aebe7fa321db
51372400bbe34a1744901245949fba88e6150ab7a1c7bc0a9b3b4d64bf792eff
3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45
7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678
b78469fb8eff53d82081bdcb0dbb3436f239b8ca6ef7fd800ce5ba7e098c256f
7cd8f10164a6c3209574751d16c4e9297334f11a08ade649055450d41e0d31e9
a07aef29c402d38cbf0bd399de0226ad91bf4d4614e3ceb587d2099df82f7cf6
1dc818f51827d89a545493921f8648299f3eb367c1e0354969ccaa9df7ce77b5
Last Seen at

Recent blog posts

post image
ANY.RUN attends Osintomático 2024
watchers 48
comments 0
post image
Windows 11 UAC Bypass in Modern Malware
watchers 657
comments 0
post image
New Hijack Loader Variant: Uses Process Hollo...
watchers 564
comments 0

What is REvil ransomware?

REvil, also known as Sodinokibi, is a ransomware strain that emerged in 2019. This malicious software encrypts the victim's files and demands a ransom payment, typically in the form of cryptocurrency, to restore access to the encrypted data.

Believed to have originated from a cybercriminal group based in a former USSR country, REvil gained notoriety in the ransomware landscape due to its high-profile attacks on businesses, governments, and organizations worldwide.

The group behind REvil operates on a ransomware-as-a-service (RaaS) model, in which they develop the malware and manage the infrastructure, while affiliates responsible for distributing the ransomware receive a percentage of the ransom payments.

This ransomware is notorious for its bold attacks, which include, but are not limited to:

  • Grubman Shire Meiselas & Sacks attack (May 2020): REvil targeted a high-profile law firm, claiming to have stolen sensitive data and demanding a ransom of $42 million.
  • JBS S.A. attack (May 2021): JBS S.A. was forced to temporarily shut down all of its meat processing plants across the US and paid an $11 million ransom.
  • Kaseya attack July (2021): REvil exploited a vulnerability in the Kaseya VSA software, affecting multiple managed service providers (MSPs) and their customers. It is estimated that around 1,500 organizations were impacted, with the attackers demanding a $70 million ransom.

Numerous incidents caused by REvil led to significant supply chain disruptions, placing the gang in the crosshairs of international law enforcement. The infamous operation was eventually shut down due to an international law enforcement operation called GoldDust. The gang was reportedly dismantled in January 2022. However, some researchers believe that the malware family may resurface under a different name.

REvil ransomware origin

REvil is believed to be a successor to another notorious ransomware—GandCrab. Connections between REvil and GandCrab can be drawn from similarities in their operations and technical aspects. GandCrab, a ransomware strain that operated from January 2018 until its developers claimed to have "retired" in June 2019, boasted millions of dollars in profits. Shortly after GandCrab's supposed retirement, REvil emerged and rapidly gained prominence in the ransomware landscape.

Several reasons lead researchers to believe that the two crews are closely connected or even are the same crew:

Code and functionality similarities exist between GandCrab and REvil. Both strains employ similar methods to evade detection and achieve persistence in the infected system. Additionally, the ransom notes left by REvil bear a resemblance to those left by GandCrab in terms of language and structure.

Both GandCrab and REvil operated on a RaaS model and utilized similar affiliate programs. In these programs, the ransomware developers provide the infrastructure and receive a share of the ransom payments, while affiliates are responsible for distributing the malware.

REvil's code and ransom note compositions also share similarities with another active ransomware gang—DarkSide. This may suggest that the latter is an offshoot or a partner of the former, especially considering that REvil's code isn't publicly available.

REvil ransomware technical analysis

A recent variant of REvil employs a Safeboot routine to bypass security solutions that do not operate in Safemode. The ransomware also uses DLL sideloading to evade detection by running under the context of legitimate files or processes. In the Kaseya supply chain compromise, PowerShell commands were observed disabling Windows Defender.

SharpSploit, an attack framework with credential access capabilities using the Mimikatz module, has been observed in recent REvil campaigns. The gathered information is sent back to the threat actors using various methods, including the installation of FileZilla or third-party sync tools like MegaSync, FreeFileSync, and Rclone (64-bit).

REvil communicates with its command and control (C&C) infrastructure by generating pseudorandom URLs based on a fixed format. The URLs follow the pattern "https://{Domain}/{String 1}/{String 2}/{random characters}.{String 3}", with domain and strings extracted from the configuration file.

The encryption process has remained largely consistent since REvil's inception. The ransomware attempts to escalate privileges using exploits or token impersonation and creates a mutex. It then decrypts its JSON configuration file using the RC4 function to determine the subsequent routines. The configuration file contains various parameters, including public encryption keys, campaign IDs, whitelisted directories, and domains to contact after encryption.

Interestingly, REvil uses Elliptic Curve Diffie-Hellman (ECDH) is an asymmetric key exchange protocol that allows two parties to securely exchange cryptographic keys over a public channel. REvil uses ECDH to protect the Salsa20 or AES keys that were used to encrypt individual files, making its encryption algorithm practically uncrackable.

Analyzing REvil ransomware in ANY.RUN

ANY.RUN's cloud interactive sandbox allows you to effortlessly analyze REvil samples. Our platform automatically gathers and presents the execution data in easy-to-read formats, collecting artifacts and IOCs in real time.

ANY.RUN provides the ability to watch the REvil in action and perform the ransomware analysis via an interactive virtual sandbox simulation.

sodiokibi execution process graph Figure 1: illustrates the processes launched by REvil during its life cycle.

Through time, the "team" behind Revil\Sodinokibi changed the ransomware in a way to avoid detection. The earliest versions of it were easily detected by checking of creation of particular keys in the registry. After they got rid of this, there were still detection based on the similarity of ransom notes dropped inside the infected system. From the beginning, detection by Yara rules was possible.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

It was known that crooks behind REvil offered the decryption of three images for free. When the malware was active, you could use the interactivity of ANY.RUN to take additional steps in the analysis:

  • Open the website specified in a ransom note in the browser
  • Follow all steps to decrypt images to get a bigger picture of a ransomware infection process.

Sodinokibi payment website Figure 3: REvil payment website

REvil ransomware execution

REvil won't run malicious activity on systems where UI and keyboard languages are set to a specific value, such as Russian, Ukrainian, and 18 others. Although Sodinokibi is a "qualitative" type of malware, its execution, and system infection process, in general, is quite straightforward and similar to other ransomware - it decrypts files, erases shadow copies, and places ransom notes across the file system.

The process tree also doesn't look very exciting because all main activities are provided by a single executable. For all infected files, the ransomware changes extensions to generated. The added extension is the same as an ID which is unique and made by combining the hash of the value given by CPUID instruction and the volume serial number.

It should be noted that REvil will also try to encrypt files on network shares. After completion of the decryption process, the ransomware sets the background wallpaper to a ransom message.

workstation desktop after Sodinokibi infection Figure 2: Wallpapers with ransom message set by REvil

Interestingly, the authors of Sodinokibi created a high-quality website available at the domain decryptor.top, where victims can use a trial decryptor and have the opportunity to decrypt three images for free. Besides the decryption function, this website provides information such as the countdown (after time runs out, the ransom amount will be set to 5 000 dollars), instructions on how to buy bitcoins, and where to send them as well as information about the decryption process. If decryptor.top is not available, there is a possibility for victims to visit its .onion clone through the Tor web browser.

REvil ransomware distribution

REvil and its affiliates are known for highly-targeted attacks, and the infiltration vector can be tailored to suit the victim. Over time, this has led to a wide variety of distribution methods employed by this ransomware.

REvil can arrive through spear phishing emails containing an infected Microsoft Office or PDF document. Social engineering techniques are then used to trick the victim into downloading the payload and executing it by running a malicious script or macro. REvil can also be dropped by other malware, such as Qakbot and IcedID.

Another popular distribution method involves exploit kits. The use of the following exploits has been recorded:

  • CVE-2018-13379
  • CVE-2019-2725
  • CVE-2019-11510
  • CVE-2021-30116

Attackers may also attempt to gain access to a target network by brute-forcing Remote Desktop Protocol (RDP) credentials. And in the Kaseya VSA attack, the group exploited a zero-day vulnerability to compromise vulnerable VSA servers and distribute the ransomware to MSPs and their clients.

Following the initial infiltration, REvil likes to move laterally within the network to maximize the impact of the attack. For example, the adversary may attempt to extract user credentials from the infected system by dumping password hashes or using tools like Mimikatz to extract plaintext passwords from memory.

Lateral movement helps REvil to maximize the attack surface and exacerbate damages caused, giving it more leverage to demand a high ransom amount — often in the millions of US dollars.

Conclusion

Although REvil — one of the most high-profile ransomware operations in history — was allegedly squashed in a massive international law enforcement operation, the crew has a history of pulling temporary disappearance acts and is likely to come back again.

This might be the perfect time to study this threat, regroup, and prepare — because if and when REvil comes back, the new name might be different, but much of the code, techniques, and tactics employed will be the same.

Interested in more ransomware analysis like this one? Check out our breakdown of WannaCry ransomware — perhaps the only other malware that beats REvil in notoriety.

Or check out our analysis of IcedID— a malware that is known to drop REvil in some campaigns. By understanding the methods and strategies used by these notorious ransomware strains, you can better prepare your organization for potential future attacks and bolster your cybersecurity defenses.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy