1. Home
  2. Software
  3. REvil

REvil

REvil is a ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ransomware-as-a-service (RaaS) since at least April 2019. REvil, which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.[1][2][3]

ID: S0496
Associated Software: Sodin, Sodinokibi
Type: MALWARE
Platforms: Windows
Contributors: Edward Millington
Version: 2.2
Created: 04 August 2020
Last Modified: 17 November 2024

Associated Software Descriptions

Name Description
Sodin

[2][4]
Sodinokibi

[1][2][5][4][6][7][8][9][10][11][1][12]
Enterprise Layer
download view
ICS Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

REvil can use WMI to monitor for and kill specific processes listed in its configuration file.[7][3]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

REvil can mimic the names of known executables.[11]
Enterprise T1112 修改注册表

REvil can modify the Registry to save encryption parameters and system information.[6][7][9][2][1]
Enterprise T1573 .002 加密通道: Asymmetric Cryptography

REvil has encrypted C2 communications with the ECIES algorithm.[4]
Enterprise T1140 反混淆/解码文件或信息

REvil can decode encrypted strings to enable execution of commands and payloads.[5][4][6][9][2][1]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

REvil has used PowerShell to delete volume shadow copies and download files.[7][8][2][3]
.003 命令与脚本解释器: Windows Command Shell

REvil can use the Windows command line to delete volume shadow copies and disable recovery.[6][8][11][1]
.005 命令与脚本解释器: Visual Basic

REvil has used obfuscated VBA macros for execution.[5][11]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

REvil can connect to and disable the Symantec server on the victim's network.[6]
.009 妨碍防御: Safe Mode Boot

REvil can force a reboot in safe mode with networking.[13]
Enterprise T1071 .001 应用层协议: Web Protocols

REvil has used HTTP and HTTPS in communication with C2.[6][7][9][2][1]
Enterprise T1480 .002 执行保护: Mutual Exclusion

REvil attempts to create a mutex using a hard-coded value to ensure that no other instances of itself are running on the host.[14]
Enterprise T1486 数据加密以实现影响

REvil can encrypt files on victim systems and demands a ransom to decrypt the files.[4][6][8][10][2][11][1][12]
Enterprise T1485 数据销毁

REvil has the capability to destroy files and folders.[4][7][9][9][2][11][1]
Enterprise T1083 文件和目录发现

REvil has the ability to identify specific files and directories that are not to be encrypted.[4][6][7][9][2][1]
Enterprise T1489 服务停止

REvil has the capability to stop services and kill processes.[2][1]
Enterprise T1106 本机API

REvil can use Native API for execution and to retrieve active services.[1][2]
Enterprise T1069 .002 权限组发现: Domain Groups

REvil can identify the domain membership of a compromised host.[4][9][1]
Enterprise T1012 查询注册表

REvil can query the Registry to get random file extensions to append to encrypted files.[1]
Enterprise T1189 浏览器攻击

REvil has infected victim machines through compromised websites and exploit kits.[1][9][11][7]
Enterprise T1027 .011 混淆文件或信息: Fileless Storage

REvil can save encryption parameters and system information in the Registry.[6][7][9][2][1]
.013 混淆文件或信息: Encrypted/Encoded File

REvil has used encrypted strings and configuration files.[5][7][9][2][3][11][1]
Enterprise T1204 .002 用户执行: Malicious File

REvil has been executed via malicious MS Word e-mail attachments.[5][10][11]
Enterprise T1070 .004 移除指标: File Deletion

REvil can mark its binary code for deletion after reboot.[2]
Enterprise T1614 .001 系统位置发现: System Language Discovery

REvil can check the system language using GetUserDefaultUILanguage and GetSystemDefaultUILanguage. If the language is found in the list, the process terminates.[4]
Enterprise T1082 系统信息发现

REvil can identify the username, machine name, system language, keyboard layout, OS version, and system drive information on a compromised host.[4][6][7][9][9][2][3][1]
Enterprise T1490 系统恢复抑制

REvil can use vssadmin to delete volume shadow copies and bcdedit to disable recovery features.[4][6][7][8][9][2][11][1][12]
Enterprise T1007 系统服务发现

REvil can enumerate active services.[2]
Enterprise T1134 .001 访问令牌操控: Token Impersonation/Theft

REvil can obtain the token from the user that launched the explorer.exe process to avoid affecting the desktop of the SYSTEM user.[9]
.002 访问令牌操控: Create Process with Token

REvil can launch an instance of itself with administrative rights using runas.[1]
Enterprise T1105 输入工具传输

REvil can download a copy of itself from an attacker controlled IP address to the victim machine.[8][9][11]
Enterprise T1055 进程注入

REvil can inject itself into running processes on a compromised host.[10]
Enterprise T1041 通过C2信道渗出

REvil can exfiltrate host and malware information to C2 servers.[1]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

REvil has been distributed via malicious e-mail attachments including MS Word Documents.[5][6][1][9][11]
ICS T0828 Loss of Productivity and Revenue

The REvil malware gained access to an organizations network and encrypted sensitive files used by OT equipment. [15]
ICS T0849 Masquerading

REvil searches for whether the Ahnlab autoup.exe service is running on the target system and injects its payload into this existing process. [16]
ICS T0886 Remote Services

REvil uses the SMB protocol to encrypt files located on remotely connected file shares. [17]
ICS T0853 Scripting

REvil utilizes JavaScript, WScript, and PowerShell scripts to execute. The malicious JavaScript attachment has an obfuscated PowerShell script that executes the malware. [16]
ICS T0881 Service Stop

REvil searches for all processes listed in the prc field within its configuration file and then terminates each process. [18]
ICS T0869 Standard Application Layer Protocol

REvil sends HTTPS POST messages with randomly generated URLs to communicate with a remote server. [16] [14]
ICS T0882 Theft of Operational Information

REvil sends exfiltrated data from the victims system using HTTPS POST messages sent to the C2 system. [18] [14]
ICS T0863 User Execution

REvil initially executes when the user clicks on a JavaScript file included in the phishing emails .zip attachment. [16]

Groups That Use This Software

ID Name References
G0046 FIN7

[19][20][21][22]
G0115 GOLD SOUTHFIELD

[1][7]

References

  1. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  2. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
  3. Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020.
  4. Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.
  5. Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020.
  6. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
  7. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
  8. Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020.
  9. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
  10. Saavedra-Morales, J, et al. (2019, October 20). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo. Retrieved August 5, 2020.
  11. Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.
  1. Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved November 17, 2024.
  2. Abrams, L. (2021, March 19). REvil ransomware has a new ‘Windows Safe Mode’ encryption mode. Retrieved June 23, 2021.
  3. SecureWorks 2019, September 24 REvil/Sodinokibi Ransomware Retrieved. 2021/04/12
  4. Selena Larson, Camille Singleton 2020, December RANSOMWARE IN ICS ENVIRONMENTS Retrieved. 2021/04/12
  5. Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12
  6. Max Heinemeyer 2020, February 21 Post-mortem of a targeted Sodinokibi ransomware attack Retrieved. 2021/04/12
  7. McAfee Labs 2019, October 02 McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service What The Code Tells Us Retrieved. 2021/04/12
  8. Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.
  9. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  10. The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022.
  11. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.