Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
43
Global rank
35 infographic chevron month
Month rank
18 infographic chevron week
Week rank
0
IOCs

REvil, also called Sodinokibi, is a notorious ransomware strain known for its use of sophisticated encryption techniques, high-profile targeted attacks, and connections to GandCrab.

Ransomware
Type
ex-USSR
Origin
1 April, 2019
First seen
20 December, 2024
Last seen
Also known as
Sodinokibi
Sodin

How to analyze REvil with ANY.RUN

Type
ex-USSR
Origin
1 April, 2019
First seen
20 December, 2024
Last seen

IOCs

Last Seen at

Recent blog posts

post image
Well done, ANY.RUN: Our Top Cybersecurity Awa...
watchers 214
comments 0
post image
How DFIR Analysts Use ANY.RUN Sandbox
watchers 309
comments 0
post image
How to Set up a Windows 11 Malware Sandbox
watchers 1116
comments 0

What is REvil ransomware?

REvil, also known as Sodinokibi, is a ransomware strain that emerged in 2019. This malicious software encrypts the victim's files and demands a ransom payment, typically in the form of cryptocurrency, to restore access to the encrypted data.

Believed to have originated from a cybercriminal group based in a former USSR country, REvil gained notoriety in the ransomware landscape due to its high-profile attacks on businesses, governments, and organizations worldwide.

The group behind REvil operates on a ransomware-as-a-service (RaaS) model, in which they develop the malware and manage the infrastructure, while affiliates responsible for distributing the ransomware receive a percentage of the ransom payments.

This ransomware is notorious for its bold attacks, which include, but are not limited to:

  • Grubman Shire Meiselas & Sacks attack (May 2020): REvil targeted a high-profile law firm, claiming to have stolen sensitive data and demanding a ransom of $42 million.
  • JBS S.A. attack (May 2021): JBS S.A. was forced to temporarily shut down all of its meat processing plants across the US and paid an $11 million ransom.
  • Kaseya attack July (2021): REvil exploited a vulnerability in the Kaseya VSA software, affecting multiple managed service providers (MSPs) and their customers. It is estimated that around 1,500 organizations were impacted, with the attackers demanding a $70 million ransom.

Numerous incidents caused by REvil led to significant supply chain disruptions, placing the gang in the crosshairs of international law enforcement. The infamous operation was eventually shut down due to an international law enforcement operation called GoldDust. The gang was reportedly dismantled in January 2022. However, some researchers believe that the malware family may resurface under a different name.

REvil ransomware origin

REvil is believed to be a successor to another notorious ransomware—GandCrab. Connections between REvil and GandCrab can be drawn from similarities in their operations and technical aspects. GandCrab, a ransomware strain that operated from January 2018 until its developers claimed to have "retired" in June 2019, boasted millions of dollars in profits. Shortly after GandCrab's supposed retirement, REvil emerged and rapidly gained prominence in the ransomware landscape.

Several reasons lead researchers to believe that the two crews are closely connected or even are the same crew:

Code and functionality similarities exist between GandCrab and REvil. Both strains employ similar methods to evade detection and achieve persistence in the infected system. Additionally, the ransom notes left by REvil bear a resemblance to those left by GandCrab in terms of language and structure.

Both GandCrab and REvil operated on a RaaS model and utilized similar affiliate programs. In these programs, the ransomware developers provide the infrastructure and receive a share of the ransom payments, while affiliates are responsible for distributing the malware.

REvil's code and ransom note compositions also share similarities with another active ransomware gang—DarkSide. This may suggest that the latter is an offshoot or a partner of the former, especially considering that REvil's code isn't publicly available.

REvil ransomware technical analysis

A recent variant of REvil employs a Safeboot routine to bypass security solutions that do not operate in Safemode. The ransomware also uses DLL sideloading to evade detection by running under the context of legitimate files or processes. In the Kaseya supply chain compromise, PowerShell commands were observed disabling Windows Defender.

SharpSploit, an attack framework with credential access capabilities using the Mimikatz module, has been observed in recent REvil campaigns. The gathered information is sent back to the threat actors using various methods, including the installation of FileZilla or third-party sync tools like MegaSync, FreeFileSync, and Rclone (64-bit).

REvil communicates with its command and control (C&C) infrastructure by generating pseudorandom URLs based on a fixed format. The URLs follow the pattern "https://{Domain}/{String 1}/{String 2}/{random characters}.{String 3}", with domain and strings extracted from the configuration file.

The encryption process has remained largely consistent since REvil's inception. The ransomware attempts to escalate privileges using exploits or token impersonation and creates a mutex. It then decrypts its JSON configuration file using the RC4 function to determine the subsequent routines. The configuration file contains various parameters, including public encryption keys, campaign IDs, whitelisted directories, and domains to contact after encryption.

Interestingly, REvil uses Elliptic Curve Diffie-Hellman (ECDH) is an asymmetric key exchange protocol that allows two parties to securely exchange cryptographic keys over a public channel. REvil uses ECDH to protect the Salsa20 or AES keys that were used to encrypt individual files, making its encryption algorithm practically uncrackable.

Analyzing REvil ransomware in ANY.RUN

ANY.RUN's cloud interactive sandbox allows you to effortlessly analyze REvil samples. Our platform automatically gathers and presents the execution data in easy-to-read formats, collecting artifacts and IOCs in real time.

ANY.RUN provides the ability to watch the REvil in action and perform the ransomware analysis via an interactive virtual sandbox simulation.

sodiokibi execution process graph Figure 1: illustrates the processes launched by REvil during its life cycle.

Through time, the "team" behind Revil\Sodinokibi changed the ransomware in a way to avoid detection. The earliest versions of it were easily detected by checking of creation of particular keys in the registry. After they got rid of this, there were still detection based on the similarity of ransom notes dropped inside the infected system. From the beginning, detection by Yara rules was possible.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

It was known that crooks behind REvil offered the decryption of three images for free. When the malware was active, you could use the interactivity of ANY.RUN to take additional steps in the analysis:

  • Open the website specified in a ransom note in the browser
  • Follow all steps to decrypt images to get a bigger picture of a ransomware infection process.

Sodinokibi payment website Figure 3: REvil payment website

REvil ransomware execution

REvil won't run malicious activity on systems where UI and keyboard languages are set to a specific value, such as Russian, Ukrainian, and 18 others. Although Sodinokibi is a "qualitative" type of malware, its execution, and system infection process, in general, is quite straightforward and similar to other ransomware - it decrypts files, erases shadow copies, and places ransom notes across the file system.

The process tree also doesn't look very exciting because all main activities are provided by a single executable. For all infected files, the ransomware changes extensions to generated. The added extension is the same as an ID which is unique and made by combining the hash of the value given by CPUID instruction and the volume serial number.

It should be noted that REvil will also try to encrypt files on network shares. After completion of the decryption process, the ransomware sets the background wallpaper to a ransom message.

workstation desktop after Sodinokibi infection Figure 2: Wallpapers with ransom message set by REvil

Interestingly, the authors of Sodinokibi created a high-quality website available at the domain decryptor.top, where victims can use a trial decryptor and have the opportunity to decrypt three images for free. Besides the decryption function, this website provides information such as the countdown (after time runs out, the ransom amount will be set to 5 000 dollars), instructions on how to buy bitcoins, and where to send them as well as information about the decryption process. If decryptor.top is not available, there is a possibility for victims to visit its .onion clone through the Tor web browser.

REvil ransomware distribution

REvil and its affiliates are known for highly-targeted attacks, and the infiltration vector can be tailored to suit the victim. Over time, this has led to a wide variety of distribution methods employed by this ransomware.

REvil can arrive through spear phishing emails containing an infected Microsoft Office or PDF document. Social engineering techniques are then used to trick the victim into downloading the payload and executing it by running a malicious script or macro. REvil can also be dropped by other malware, such as Qakbot and IcedID.

Another popular distribution method involves exploit kits. The use of the following exploits has been recorded:

  • CVE-2018-13379
  • CVE-2019-2725
  • CVE-2019-11510
  • CVE-2021-30116

Attackers may also attempt to gain access to a target network by brute-forcing Remote Desktop Protocol (RDP) credentials. And in the Kaseya VSA attack, the group exploited a zero-day vulnerability to compromise vulnerable VSA servers and distribute the ransomware to MSPs and their clients.

Following the initial infiltration, REvil likes to move laterally within the network to maximize the impact of the attack. For example, the adversary may attempt to extract user credentials from the infected system by dumping password hashes or using tools like Mimikatz to extract plaintext passwords from memory.

Lateral movement helps REvil to maximize the attack surface and exacerbate damages caused, giving it more leverage to demand a high ransom amount — often in the millions of US dollars.

Conclusion

Although REvil — one of the most high-profile ransomware operations in history — was allegedly squashed in a massive international law enforcement operation, the crew has a history of pulling temporary disappearance acts and is likely to come back again.

This might be the perfect time to study this threat, regroup, and prepare — because if and when REvil comes back, the new name might be different, but much of the code, techniques, and tactics employed will be the same.

Interested in more ransomware analysis like this one? Check out our breakdown of WannaCry ransomware — perhaps the only other malware that beats REvil in notoriety.

Or check out our analysis of IcedID— a malware that is known to drop REvil in some campaigns. By understanding the methods and strategies used by these notorious ransomware strains, you can better prepare your organization for potential future attacks and bolster your cybersecurity defenses.

HAVE A LOOK AT

Raspberry Robin screenshot
Raspberry Robin
raspberryrobin
Raspberry Robin is a trojan that primarily spreads through infected USB drives and exploits legitimate Windows commands. This malware is known for its advanced obfuscation techniques, anti-debugging mechanisms, and ability to gain persistence on infected systems. Raspberry Robin often communicates with command-and-control servers over the TOR network and can download additional malicious payloads.
Read More
Orcus RAT screenshot
Orcus RAT
orcus rat trojan
Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class.
Read More
Grandoreiro screenshot
Grandoreiro
grandoreiro
Grandoreiro is a Latin American banking trojan first observed in 2016. It targets mostly Spanish-speaking countries, such as Brazil, Spain, Mexico and Peru. This malware is operated as a Malware-as-a-Service (MaaS), which makes it easily accessible for cybercriminals. Besides, it uses advanced techniques to evade detection.
Read More
X-Files screenshot
X-Files
xfiles
X-FILES Stealer is a sophisticated malware designed to infiltrate systems and steal sensitive information, targeting login credentials for email, social media, and other personal accounts. It captures data and transmits it back to the attacker’s command-and-control server. X-FILES Stealer employs advanced evasion techniques to avoid detection, making it a persistent threat in the cyber landscape.
Read More
PureCrypter screenshot
PureCrypter
purecrypter
First identified in March 2021, PureCrypter is a .NET-based loader that employs obfuscation techniques, such as SmartAssembly, to evade detection. It has been used to distribute malware families including AgentTesla, RedLine Stealer, and SnakeKeylogger. The malware is typically delivered through phishing campaigns and malicious downloads, often masquerading as legitimate files with extensions like .mp4 or .pdf. PureCrypter utilizes encryption and compression to conceal its payloads and can inject malicious code into legitimate processes to maintain persistence on the infected system.
Read More
Stealc screenshot
Stealc
stealc
Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.
Read More