BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
31
Global rank
37
Month rank
27
Week rank
216
IOCs

REvil, also called Sodinokibi, is a notorious ransomware strain known for its use of sophisticated encryption techniques, high-profile targeted attacks, and connections to GandCrab.

Ransomware
Type
ex-USSR
Origin
1 April, 2019
First seen
2 December, 2023
Last seen
Also known as
Sodinokibi
Sodin

How to analyze REvil with ANY.RUN

Type
ex-USSR
Origin
1 April, 2019
First seen
2 December, 2023
Last seen

IOCs

Hashes
e68838849a831a51c49737ec096e2bae80699b75f6b33080a211d53ea6cbe11e
0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d
945c7dc95767967f4482969ee2daf6968354307b017b7f9b6d7420b736996796
457936c28938616495836c472b3389a0870574bee6a5dc026d5bd14979c6202c
578d694adb18d1dda0ee217c2c08e2e99f5d1bb9bafe6f3962844bbe6e6ebf12
dd5d924287c449916696424da479ba122a70c5f4b419d9856b036e030c22de00
ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea
86f0a102ed4a4f82f843484cc045df5bea53118d25496086a68a7f791a3ab27b
d91f951bdcf35012ac6b47c28cf32ec143e4269243d8c229f6cb326fd343df95
60c49baa290de5336e5903286d1e8ff8b8b833046a63be00966695dc9d3f6dbb
d191761ac8a7b0a3525764664609a8fccfa3732d331c525e9c1c9eb0a7068a9c
37e70756c4c08c35bda589cd345b97c4db75fa3b85618d0b5d5a20d20bf76bb9
93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7
12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39
f450ef75377d132cd469ad569e97ae64dc0abc225a3755da32495c625141f3ab
04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864
fa7d2020776a080d2580c0cad013be84484cbaa8d927fedd51914bad567d3278
66060484cccedb839fb646d4e6020e079319374b2847c52dcec55c5ad60b1beb
154cb7a5938f62a49d0fd65a25846d3372d65a06d6d1e344ee59edca16e58272
720fbe60f049848f02ba9b2b91926f80ba65b84f0d831a55f4e634c820bd0848
Last Seen at

Recent blog posts

3 Cybersecurity Events ANY.RUN Attended in No...
watchers 140
comments 0
5 malware threats we discovered in the wild i...
watchers 343
comments 0
RisePro Malware Analysis: Exploring C2 Commun...
watchers 2312
comments 0

What is REvil ransomware?

REvil, also known as Sodinokibi, is a ransomware strain that emerged in 2019. This malicious software encrypts the victim's files and demands a ransom payment, typically in the form of cryptocurrency, to restore access to the encrypted data.

Believed to have originated from a cybercriminal group based in a former USSR country, REvil gained notoriety in the ransomware landscape due to its high-profile attacks on businesses, governments, and organizations worldwide.

The group behind REvil operates on a ransomware-as-a-service (RaaS) model, in which they develop the malware and manage the infrastructure, while affiliates responsible for distributing the ransomware receive a percentage of the ransom payments.

This ransomware is notorious for its bold attacks, which include, but are not limited to:

  • Grubman Shire Meiselas & Sacks attack (May 2020): REvil targeted a high-profile law firm, claiming to have stolen sensitive data and demanding a ransom of $42 million.
  • JBS S.A. attack (May 2021): JBS S.A. was forced to temporarily shut down all of its meat processing plants across the US and paid an $11 million ransom.
  • Kaseya attack July (2021): REvil exploited a vulnerability in the Kaseya VSA software, affecting multiple managed service providers (MSPs) and their customers. It is estimated that around 1,500 organizations were impacted, with the attackers demanding a $70 million ransom.

Numerous incidents caused by REvil led to significant supply chain disruptions, placing the gang in the crosshairs of international law enforcement. The infamous operation was eventually shut down due to an international law enforcement operation called GoldDust. The gang was reportedly dismantled in January 2022. However, some researchers believe that the malware family may resurface under a different name.

REvil ransomware origin

REvil is believed to be a successor to another notorious ransomware—GandCrab. Connections between REvil and GandCrab can be drawn from similarities in their operations and technical aspects. GandCrab, a ransomware strain that operated from January 2018 until its developers claimed to have "retired" in June 2019, boasted millions of dollars in profits. Shortly after GandCrab's supposed retirement, REvil emerged and rapidly gained prominence in the ransomware landscape.

Several reasons lead researchers to believe that the two crews are closely connected or even are the same crew:

Code and functionality similarities exist between GandCrab and REvil. Both strains employ similar methods to evade detection and achieve persistence in the infected system. Additionally, the ransom notes left by REvil bear a resemblance to those left by GandCrab in terms of language and structure.

Both GandCrab and REvil operated on a RaaS model and utilized similar affiliate programs. In these programs, the ransomware developers provide the infrastructure and receive a share of the ransom payments, while affiliates are responsible for distributing the malware.

REvil's code and ransom note compositions also share similarities with another active ransomware gang—DarkSide. This may suggest that the latter is an offshoot or a partner of the former, especially considering that REvil's code isn't publicly available.

REvil ransomware technical analysis

A recent variant of REvil employs a Safeboot routine to bypass security solutions that do not operate in Safemode. The ransomware also uses DLL sideloading to evade detection by running under the context of legitimate files or processes. In the Kaseya supply chain compromise, PowerShell commands were observed disabling Windows Defender.

SharpSploit, an attack framework with credential access capabilities using the Mimikatz module, has been observed in recent REvil campaigns. The gathered information is sent back to the threat actors using various methods, including the installation of FileZilla or third-party sync tools like MegaSync, FreeFileSync, and Rclone (64-bit).

REvil communicates with its command and control (C&C) infrastructure by generating pseudorandom URLs based on a fixed format. The URLs follow the pattern "https://{Domain}/{String 1}/{String 2}/{random characters}.{String 3}", with domain and strings extracted from the configuration file.

The encryption process has remained largely consistent since REvil's inception. The ransomware attempts to escalate privileges using exploits or token impersonation and creates a mutex. It then decrypts its JSON configuration file using the RC4 function to determine the subsequent routines. The configuration file contains various parameters, including public encryption keys, campaign IDs, whitelisted directories, and domains to contact after encryption.

Interestingly, REvil uses Elliptic Curve Diffie-Hellman (ECDH) is an asymmetric key exchange protocol that allows two parties to securely exchange cryptographic keys over a public channel. REvil uses ECDH to protect the Salsa20 or AES keys that were used to encrypt individual files, making its encryption algorithm practically uncrackable.

Analyzing REvil ransomware in ANY.RUN

ANY.RUN's cloud interactive sandbox allows you to effortlessly analyze REvil samples. Our platform automatically gathers and presents the execution data in easy-to-read formats, collecting artifacts and IOCs in real time.

ANY.RUN provides the ability to watch the REvil in action and perform the ransomware analysis via an interactive virtual sandbox simulation.

sodiokibi execution process graph Figure 1: illustrates the processes launched by REvil during its life cycle.

Through time, the "team" behind Revil\Sodinokibi changed the ransomware in a way to avoid detection. The earliest versions of it were easily detected by checking of creation of particular keys in the registry. After they got rid of this, there were still detection based on the similarity of ransom notes dropped inside the infected system. From the beginning, detection by Yara rules was possible.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

It was known that crooks behind REvil offered the decryption of three images for free. When the malware was active, you could use the interactivity of ANY.RUN to take additional steps in the analysis:

  • Open the website specified in a ransom note in the browser
  • Follow all steps to decrypt images to get a bigger picture of a ransomware infection process.

Sodinokibi payment website Figure 3: REvil payment website

REvil ransomware execution

REvil won't run malicious activity on systems where UI and keyboard languages are set to a specific value, such as Russian, Ukrainian, and 18 others. Although Sodinokibi is a "qualitative" type of malware, its execution, and system infection process, in general, is quite straightforward and similar to other ransomware - it decrypts files, erases shadow copies, and places ransom notes across the file system.

The process tree also doesn't look very exciting because all main activities are provided by a single executable. For all infected files, the ransomware changes extensions to generated. The added extension is the same as an ID which is unique and made by combining the hash of the value given by CPUID instruction and the volume serial number.

It should be noted that REvil will also try to encrypt files on network shares. After completion of the decryption process, the ransomware sets the background wallpaper to a ransom message.

workstation desktop after Sodinokibi infection Figure 2: Wallpapers with ransom message set by REvil

Interestingly, the authors of Sodinokibi created a high-quality website available at the domain decryptor.top, where victims can use a trial decryptor and have the opportunity to decrypt three images for free. Besides the decryption function, this website provides information such as the countdown (after time runs out, the ransom amount will be set to 5 000 dollars), instructions on how to buy bitcoins, and where to send them as well as information about the decryption process. If decryptor.top is not available, there is a possibility for victims to visit its .onion clone through the Tor web browser.

REvil ransomware distribution

REvil and its affiliates are known for highly-targeted attacks, and the infiltration vector can be tailored to suit the victim. Over time, this has led to a wide variety of distribution methods employed by this ransomware.

REvil can arrive through spear phishing emails containing an infected Microsoft Office or PDF document. Social engineering techniques are then used to trick the victim into downloading the payload and executing it by running a malicious script or macro. REvil can also be dropped by other malware, such as Qakbot and IcedID.

Another popular distribution method involves exploit kits. The use of the following exploits has been recorded:

  • CVE-2018-13379
  • CVE-2019-2725
  • CVE-2019-11510
  • CVE-2021-30116

Attackers may also attempt to gain access to a target network by brute-forcing Remote Desktop Protocol (RDP) credentials. And in the Kaseya VSA attack, the group exploited a zero-day vulnerability to compromise vulnerable VSA servers and distribute the ransomware to MSPs and their clients.

Following the initial infiltration, REvil likes to move laterally within the network to maximize the impact of the attack. For example, the adversary may attempt to extract user credentials from the infected system by dumping password hashes or using tools like Mimikatz to extract plaintext passwords from memory.

Lateral movement helps REvil to maximize the attack surface and exacerbate damages caused, giving it more leverage to demand a high ransom amount — often in the millions of US dollars.

Conclusion

Although REvil — one of the most high-profile ransomware operations in history — was allegedly squashed in a massive international law enforcement operation, the crew has a history of pulling temporary disappearance acts and is likely to come back again.

This might be the perfect time to study this threat, regroup, and prepare — because if and when REvil comes back, the new name might be different, but much of the code, techniques, and tactics employed will be the same.

Interested in more ransomware analysis like this one? Check out our breakdown of WannaCry ransomware — perhaps the only other malware that beats REvil in notoriety.

Or check out our analysis of IcedID— a malware that is known to drop REvil in some campaigns. By understanding the methods and strategies used by these notorious ransomware strains, you can better prepare your organization for potential future attacks and bolster your cybersecurity defenses.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy