Share Blog Post
Origin: April 2019
Alias: Sodinokibi, Sodin
Infection Vectors: Spam emails, Phishing, Vulnerability Exploitation, Lure, MalSpam, Supply chain, DLL Side-loading
Targeted Sectors: Information Technology, Government, Legal Services, Enterprise Services, Entertainment, E-Commerce, Retail Services, Healthcare, Energy and Power, Education, Communications, Transportation, Manufacturing, Electronics, and NGOs
Targeted Regions: North America, Western Europe, Eastern Europe, Eastern Asia, Western Asia, South East Asia, Middle East, South America
Motive: Data theft, Financial gains (via Ransom)
Threat Level: High
Introduction
REvil (aka Sodinokibi) is a well-known ransomware family that has made a comeback after its sudden disappearance from the Ransomware-as-a-Service (RaaS) business. The group was first promoted in June 2019 on a cybercrime forum in the Russian language by its representative—Unknown (aka UNKN). Other than to itself, the group owes a majority of its success to its affiliates. Upon a successful heist, about 60% to 70% of the ransom payment share goes to affiliates. The ransomware group was once working with 60 maximum number of affiliates at a time, who essentially, and generally, participate in propagating the malware while the malware operators steer the payment infrastructure.
On its first anniversary, the group claimed—in an interview to a Russian YouTube channel—to have made over $100 million in a year by extorting large businesses across multiple sectors worldwide.
REvil’s attack portfolio encompasses all the major sectors, including Information Technology, Government, Legal Services, Enterprise Services, Entertainment, E-Commerce, Retail Services, Healthcare, Energy and Power, Education, Communications, Transportation, Manufacturing, Electronics, and NGOs. All of the targeted organizations in these sectors have been majorly located across North America, Western Europe, Eastern Europe, Eastern Asia, Western Asia, South East Asia, Middle East, and South American regions.
To date, multiple versions of REvil have been discovered that are identified as REvil Beta, REvil 1.00, REvil 1.01, REvil 1.02, REvil 1.03, REvil 1.04, REvil v1.05, REvil v1.06, and REvil v1.07.
The Uncanny Resemblance
According to a researcher group, REvil’s source code and behavior are quite in line with GandCrab (infamous ransomware), indicating a plausible connection between two ransomware families. In fact, GandCrab officially retired around the same time when the REvil group launched its operations. Moreover, GOLD SOUTHFIELD, the operators of GandCrab, are the ones who developed REvil and now maintained the backend infrastructure (used by affiliates) to create malware builds and collect the ransom payment, says the group.
REvil’s obscurity deepens further as its ransomware code and ransom notes were found to be resembling DarkSide, the threat actor group responsible for the attack on Colonial Pipeline. Moreover, both used the same code to verify whether the victims were from a Commonwealth of Independent States (CIS) country. Since REvil’s code is not publicly available, many believe that DarkSide is either a subgroup of REvil or its partner.
Besides, there have been claims that former affiliates of REvil are likely the owners of DarkSide. Experts also argue that the malware itself is based on the REvil code. The group was also associated with the new BlackMatter group as it presumably retained the exclusive features of the no-more-active Darkside and REvil ransomware groups. Once, the Prometheus ransomware gang claimed to be part of the REvil group, although no definite connection was established during the research.
Planning and Strategies
Since its launch in 2019, and till the fall of that year, REvil’s strategy revolved around malvertising campaigns to redirect victims to RIG exploit kits, which relied on outdated software within enterprises. The year, however, ended with REvil’s new name-n-shame threat to victims along with discounted schemes wishing “Merry Christmas and Happy Holidays.”
Maneuvering across missions, REvil and affiliates sailed through multiple plans. It was REvil that introduced—and perhaps first ever in the history of the dark web—data selling via an auction site where it initially listed data of a U.S. food distributor and a Canadian agricultural company from a starting price of $100,000 and $50,000, respectively. It further adopted abilities to scan point-of-sale (POS) software, encrypt files in Windows Safe Mode, exploit Google SEO tricks (by Gootloader operators), and much more.
The hacker group kept upgrading its tools to inflict attacks on corporate networks as it added the KPOT version 2.0 trojan, a classic information stealer, to its arsenal right after its $100 million claim. It was also allegedly involved in obtaining corporate and government network access on the dark web. The gang also released the Linux version of the REvil ransomware to target VMware ESXi servers right before the Kaseya incident.
REvil excelled at grabbing headlines by hopping strategies. Once it announced plans to launch DDoS attacks and make voice calls to victims’ business partners and journalists if ransom payments or negotiations were delayed. In another streak, it dropped an expansion plan and deposited around $1 million in bitcoin to attract more potential affiliates with exceptional skills.
Attack Timeline
2019: In April, the REvil gang was found to be exploiting the Oracle WebLogic vulnerability (CVE-2019-2725) to install the ransomware. The following month, it targeted three Managed Service Providers (MSPs) and compromised their remote management tools to deploy ransomware. Around mid-year, the group moved its target in the Asia-Pacific region to exploit the CVE-2018-8453 vulnerability for elevated privileges in Windows. Meanwhile, another attack that impersonated officials from the German national cybersecurity authority was spotted by the end of July. Soon in September, the ransomware was being disseminated into WordPress sites via a fake Q & A forum post containing a link to the ransomware installer.
2020: Experts revealed its presence around a security vulnerability (CVE-2019-11510) in Pulse Secure VPN that destroys backups and disables endpoint security controls. The information on the next victim appeared in April, wherein REvil actors floored the Florida town of Jupiter. The moment of the year arrived in May when they claimed to have exfiltrated 756GB of data from celeb law firm Grubman Shire Meiselas & Sacks, used by the likes of Lady Gaga, Drake, and Madonna. The group also claimed to have collected documents associated with former President Donald Trump. Due to suspicious claims by security researchers, the Trump administration labeled REvil as a terrorist group. Further, hackers claimed to sell “dirty laundry” data that concerns then-President Donald Trump. That month, hackers also held Sherwood Food Distributors at $7.5 million in ransom.
July witnessed attacks on the Cooke County Sheriff's Office, Spain’s ADIF (800GB), and an alleged attack on eToro social trading platform by the affiliates of REvil. In the second week of August, Jack Daniel’s maker Brown-Forman was hit, whereas one of Chile’s biggest banks, BancoEstado, and a US-based supplier of video delivery software solutions, SeaChange International, disclosed attacks in September.
In Nov-Dec, actors using REvil ransomware crippled the networks at a social housing provider, Gaming Partners International, televangelist Kenneth Copeland Ministries, and The Hospital Group.
2021: The first victim of the year was Hong Kong-based Dairy Farm Group. After nearly two months, the group claimed to have compromised the networks of at least nine organizations, which supposedly include Pan-American Life Insurance Group, two law firms, an architectural firm, a construction company, an agricultural co-op, two international banks, and a manufacturing firm. Barely a week into the claim, the group added computer giant Acer to its victim list and demanded $50 million in ransom. In April, REvil suspended most production activities at France’s second-largest pharmaceutical group Pierre Fabre and attempted to extort Apple in another $50 million ransomware attack on Taiwan-based Quanta Computer Inc., which is a key supplier to Apple and the largest laptop manufacturer. The last victim of the month was Brazil’s Tribunal de Justiça do Estado do Rio Grande do Sul.
In May, when the Colonial Pipeline attack was making headlines, REvil stayed low profile and focused on its next big target - JBS Foods, the world’s largest meat processing company. With less time left to decide, the victim company paid $11 million to the hacker to protect customers. In that month, REvil claimed more victims, including Invenergy LLC, FCUK, and Brazil-based Grupo Fleury, whereas only one victim was reported in June, viz University Medical Center of Southern Nevada.
It was now time for the Kaseya moment. Kaseya, on July 2nd, 2021, disclosed a supply chain-based ransomware attack on its MSP platform. A patch was released within two weeks of the attack but, by that time, the attack had impacted over 1000 businesses globally and actors demanded $70 Million to decrypt files for victims. Not long afterward, REvil disappeared from the internet, leaving everyone in splits whether it vanished with the ransom amount or the pressure from the U.S. or Russian authorities that drove them offline.
In September, after a break of around two and a half months, some activity was observed in REvil’s servers. The FBI was quick in alleging that the Russian government has taken no steps to crack down on ransomware groups as requested by U.S. President Joe Biden. The last reported victims of the REvil group, after it resurfaced in the crime scene, were marketing firm Fimmick and U.S’ second-largest television station operator Sinclair.
Finally, in October—as per the latest updates—REvil’s Tor payment portal and data leak site were sent to oblivion in a multi-country operation.
How to Stay Protected?
Organizations are advised to backup their most sensitive data offline to avoid larger payouts in case of ransomware incidents. Though REvil has disappeared from the cyber landscape for now, organizations must leverage real-time threat intelligence for improved defense against such threats. Additionally, continuous cyber situational awareness to employees helps in the detection and reporting of phishing emails, which is the most common attack method of actors. Last but not the least, a robust cybersecurity strategy in place is imperative but it’s incomplete—and catastrophic—if OS and other software patches somehow miss on their latest updates.
Conclusion
REvil used a variety of new and advanced delivery techniques along with code complexity and resources to cause mayhem across enterprise networks. It kept working on better obfuscation techniques and continued to claim victims across almost all the sectors. At present, REvil seems to be offline. Whether it returns or not, organizations with a properly outlined contingency plan and leveraging real-time threat intelligence will be able to effectively counter this major ransomware threat.
Indicators of Compromise
REvil using DLL Sideloading
Filename
MsMpEng[.]exe
MpSvc[.]dll
MD5
5a97a50e45e64db41049fd88a75f2dd2
78066a1c4e075941272a86d4a8e49471
Kaseya attack
SHA256
d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7 66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8 81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471 1fe9b489c25bb23b04d9996e8107671edee69bd6f6def2fe7ece38a0fb35f98e 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2 d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20 d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6 0496ca57e387b10dfdac809de8a4e039f68e8d66535d5d19ec76d39f7d0a4402 8e846ed965bbc0270a6f58c5818e039ef2fb78def4d2bf82348ca786ea0cea4f
DLL
C:\Windows\mpsvc[.]dll
Files involved
C:\windows\cert[.]exe
36a71c6ac77db619e18f701be47d79306459ff1550b0c92da47b8c46e2ec0752
C:\windows\msmpeng[.]exe
33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a
C:\kworking\agent[.]crt
8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
C:\kworking\agent[.]exe
d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
Domains
ncuccr[.]org
1team[.]es
4net[.]guru
35-40konkatsu[.]net
123vrachi[.]ru
4youbeautysalon[.]com
12starhd[.]online
101gowrie[.]com
8449nohate[.]org
1kbk[.]com[.]ua
365questions[.]org
321play[.]com[.]hk
candyhouseusa[.]com
andersongilmour[.]co[.]uk
facettenreich27[.]de
blgr[.]be
fannmedias[.]com
southeasternacademyofprosthodontics[.]org
filmstreamingvfcomplet[.]be
smartypractice[.]com
tanzschule-kieber[.]de
iqbalscientific[.]com
pasvenska[.]se
cursosgratuitosnainternet[.]com
bierensgebakkramen[.]nl
c2e-poitiers[.]com
gonzalezfornes[.]es
tonelektro[.]nl
milestoneshows[.]com
blossombeyond50[.]com
thomasvicino[.]com
kaotikkustomz[.]com
mindpackstudios[.]com
faroairporttransfers[.]net
daklesa[.]de
bxdf[.]info
simoneblum[.]de
gmto[.]fr
cerebralforce[.]net
myhostcloud[.]com
fotoscondron[.]com
sw1m[.]ru
homng[.]net
boosthybrid[.]com[.]au
makeitcount[.]at
danubecloud[.]com
takeflat[.]com
new[.]devon[.]gov[.]uk
huesges-gruppe[.]de
theclubms[.]com
hoteledenpadova[.]it
plastidip[.]com[.]ar
zimmerei-fl[.]de
whittier5k[.]com
cityorchardhtx[.]com
greenko[.]pl
eadsmurraypugh[.]com
yousay[.]site
autopfand24[.]de
artotelamsterdam[.]com
ftlc[.]es
waywithwords[.]net
skanah[.]com
unetica[.]fr
rksbusiness[.]com
simpliza[.]com
ora-it[.]de
geekwork[.]pl
faroairporttransfers[.]net
microcirc[.]net
uimaan[.]fi
peterstrobos[.]com
wychowanieprzedszkolne[.]pl
marietteaernoudts[.]nl
lichencafe[.]com
withahmed[.]com
fundaciongregal[.]org
zervicethai[.]co[.]th
zso-mannheim[.]de
compliancesolutionsstrategies[.]com
retroearthstudio[.]com
corelifenutrition[.]com
maasreusel[.]nl
consultaractadenacimiento[.]com
deprobatehelp[.]com
effortlesspromo[.]com
enovos[.]de
globedivers[.]wordpress[.]com
bastutunnan[.]se
atmos-show[.]com
surespark[.]org[.]uk
radaradvies[.]nl
em-gmbh[.]ch
idemblogs[.]com
iyengaryogacharlotte[.]com
wien-mitte[.]co[.]at
sweering[.]fr
huehnerauge-entfernen[.]de
ihr-news[.]jp
mikeramirezcpa[.]com
parkcf[.]nl
sla-paris[.]com
parkstreetauto[.]net
sexandfessenjoon[.]wordpress[.]com
maratonaclubedeportugal[.]com
mylovelybluesky[.]com
connectedace[.]com
asiluxury[.]com
wari[.]com[.]pe
dutchbrewingcoffee[.]com
amylendscrestview[.]com
minipara[.]com
rocketccw[.]com
wacochamber[.]com
anybookreader[.]de
rimborsobancario[.]net
heurigen-bauer[.]at
purposeadvisorsolutions[.]com
y-archive[.]com
paulisdogshop[.]de
navyfederalautooverseas[.]com
aco-media[.]nl
spsshomeworkhelp[.]com
tomaso[.]gr
upmrkt[.]co
spacecitysisters[.]org
drinkseed[.]com
forskolorna[.]org
zewatchers[.]com
fannmedias[.]com
spd-ehningen[.]de
ohidesign[.]com
creative-waves[.]co[.]uk
desert-trails[.]com
troegs[.]com
abogadoengijon[.]es
the-virtualizer[.]com
urmasiimariiuniri[.]ro
castillobalduz[.]es
rafaut[.]com
rollingrockcolumbia[.]com
dekkinngay[.]com
restaurantesszimmer[.]de
mylolis[.]com
caribdoctor[.]org
cirugiauretra[.]es
eglectonk[.]online
colorofhorses[.]com
smokeysstoves[.]com
thewellnessmimi[.]com
hellohope[.]com
1team[.]es
alten-mebel63[.]ru
dw-css[.]de
teczowadolina[.]bytom[.]pl
tenacitytenfold[.]com
drugdevice[.]org
toponlinecasinosuk[.]co[.]uk
iwelt[.]de
thailandholic[.]com
hkr-reise[.]de
schlafsack-test[.]net
mirjamholleman[.]nl
xn--rumung-bua[.]online
vannesteconstruct[.]be
chrissieperry[.]com
brevitempore[.]net
nuzech[.]com
sloverse[.]com
xn--vrftet-pua[.]biz
humancondition[.]com
mooshine[.]com
alfa-stroy72[.]com
offroadbeasts[.]com
americafirstcommittee[.]org
lapinvihreat[.]fi
chatizel-paysage[.]fr
deepsouthclothingcompany[.]com
allfortheloveofyou[.]com
rushhourappliances[.]com
international-sound-awards[.]com
aodaichandung[.]com
nandistribution[.]nl
lebellevue[.]fr
camsadviser[.]com
highimpactoutdoors[.]net
brandl-blumen[.]de
parking[.]netgateway[.]eu
modamilyon[.]com
cafemattmeera[.]com
csgospeltips[.]se
bauertree[.]com
gratispresent[.]se
solerluethi-allart[.]ch
tophumanservicescourses[.]com
siliconbeach-realestate[.]com
marketingsulweb[.]com
hotelzentral[.]at
hmsdanmark[.]dk
walter-lemm[.]de
softsproductkey[.]com
andersongilmour[.]co[.]uk
rota-installations[.]co[.]uk
talentwunder[.]com
boulderwelt-muenchen-west[.]de
corona-handles[.]com
euro-trend[.]pl
syndikat-asphaltfieber[.]de
kamahouse[.]net
cuppacap[.]com
cursoporcelanatoliquido[.]online
videomarketing[.]pro
Tags
Posted on: October 27, 2021
Related Guides
More from Cyware
Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.
The Virtual Cyber Fusion Suite
