S0496 REvil
REvil is a ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ransomware-as-a-service (RaaS) since at least April 2019. REvil, which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.264
| Item | Value |
|---|---|
| ID | S0496 |
| Associated Names | Sodin, Sodinokibi |
| Type | MALWARE |
| Version | 2.1 |
| Created | 04 August 2020 |
| Last Modified | 26 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Sodin | 67 |
| Sodinokibi | 265731118109212 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1134 | Access Token Manipulation | - |
| enterprise | T1134.001 | Token Impersonation/Theft | REvil can obtain the token from the user that launched the explorer.exe process to avoid affecting the desktop of the SYSTEM user.8 |
| enterprise | T1134.002 | Create Process with Token | REvil can launch an instance of itself with administrative rights using runas.2 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | REvil has used HTTP and HTTPS in communication with C2.311862 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | REvil has used PowerShell to delete volume shadow copies and download files.11164 |
| enterprise | T1059.003 | Windows Command Shell | REvil can use the Windows command line to delete volume shadow copies and disable recovery.3192 |
| enterprise | T1059.005 | Visual Basic | REvil has used obfuscated VBA macros for execution.59 |
| enterprise | T1485 | Data Destruction | REvil has the capability to destroy files and folders.71188692 |
| enterprise | T1486 | Data Encrypted for Impact | REvil can encrypt files on victim systems and demands a ransom to decrypt the files.7311069212 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | REvil can decode encrypted strings to enable execution of commands and payloads.573862 |
| enterprise | T1189 | Drive-by Compromise | REvil has infected victim machines through compromised websites and exploit kits.28911 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | REvil has encrypted C2 communications with the ECIES algorithm.7 |
| enterprise | T1041 | Exfiltration Over C2 Channel | REvil can exfiltrate host and malware information to C2 servers.2 |
| enterprise | T1083 | File and Directory Discovery | REvil has the ability to identify specific files and directories that are not to be encrypted.7311862 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | REvil can connect to and disable the Symantec server on the victim’s network.3 |
| enterprise | T1562.009 | Safe Mode Boot | REvil can force a reboot in safe mode with networking.13 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | REvil can mark its binary code for deletion after reboot.6 |
| enterprise | T1105 | Ingress Tool Transfer | REvil can download a copy of itself from an attacker controlled IP address to the victim machine.189 |
| enterprise | T1490 | Inhibit System Recovery | REvil can use vssadmin to delete volume shadow copies and bcdedit to disable recovery features.73111869212 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | REvil can mimic the names of known executables.9 |
| enterprise | T1112 | Modify Registry | REvil can modify the Registry to save encryption parameters and system information.311862 |
| enterprise | T1106 | Native API | REvil can use Native API for execution and to retrieve active services.26 |
| enterprise | T1027 | Obfuscated Files or Information | REvil has used encrypted strings and configuration files.51186492 |
| enterprise | T1027.011 | Fileless Storage | REvil can save encryption parameters and system information in the Registry.311862 |
| enterprise | T1069 | Permission Groups Discovery | - |
| enterprise | T1069.002 | Domain Groups | REvil can identify the domain membership of a compromised host.782 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | REvil has been distributed via malicious e-mail attachments including MS Word Documents.53289 |
| enterprise | T1055 | Process Injection | REvil can inject itself into running processes on a compromised host.10 |
| enterprise | T1012 | Query Registry | REvil can query the Registry to get random file extensions to append to encrypted files.2 |
| enterprise | T1489 | Service Stop | REvil has the capability to stop services and kill processes.62 |
| enterprise | T1082 | System Information Discovery | REvil can identify the username, machine name, system language, keyboard layout, OS version, and system drive information on a compromised host.731188642 |
| enterprise | T1614 | System Location Discovery | - |
| enterprise | T1614.001 | System Language Discovery | REvil can check the system language using GetUserDefaultUILanguage and GetSystemDefaultUILanguage. If the language is found in the list, the process terminates.7 |
| enterprise | T1007 | System Service Discovery | REvil can enumerate active services.6 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | REvil has been executed via malicious MS Word e-mail attachments.5109 |
| enterprise | T1047 | Windows Management Instrumentation | REvil can use WMI to monitor for and kill specific processes listed in its configuration file.114 |
| ics | T0828 | Loss of Productivity and Revenue | The REvil malware gained access to an organizations network and encrypted sensitive files used by OT equipment. 18 |
| ics | T0849 | Masquerading | REvil searches for whether the Ahnlab autoup.exe service is running on the target system and injects its payload into this existing process. 17 |
| ics | T0886 | Remote Services | REvil uses the SMB protocol to encrypt files located on remotely connected file shares. 14 |
| ics | T0853 | Scripting | REvil utilizes JavaScript, WScript, and PowerShell scripts to execute. The malicious JavaScript attachment has an obfuscated PowerShell script that executes the malware. 17 |
| ics | T0881 | Service Stop | REvil searches for all processes listed in the prc field within its configuration file and then terminates each process. 15 |
| ics | T0869 | Standard Application Layer Protocol | REvil sends HTTPS POST messages with randomly generated URLs to communicate with a remote server. 17 16 |
| ics | T0882 | Theft of Operational Information | REvil sends exfiltrated data from the victims system using HTTPS POST messages sent to the C2 system. 15 16 |
| ics | T0863 | User Execution | REvil initially executes when the user clicks on a JavaScript file included in the phishing emails .zip attachment. 17 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0115 | GOLD SOUTHFIELD | 211 |
| G0046 | FIN7 | 192021 |
References
-
Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020. ↩↩↩↩↩↩
-
Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩
-
Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020. ↩↩↩↩↩
-
Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020. ↩↩↩↩↩↩
-
Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020. ↩↩↩↩↩↩↩↩↩↩↩
-
McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩
-
Saavedra-Morales, J, et al. (2019, October 20). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo. Retrieved August 5, 2020. ↩↩↩↩
-
Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020. ↩↩↩
-
Abrams, L. (2021, March 19). REvil ransomware has a new ‘Windows Safe Mode’ encryption mode. Retrieved June 23, 2021. ↩
-
Max Heinemeyer 2020, February 21 Post-mortem of a targeted Sodinokibi ransomware attack Retrieved. 2021/04/12 ↩
-
McAfee Labs 2019, October 02 McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service What The Code Tells Us Retrieved. 2021/04/12 ↩↩
-
SecureWorks 2019, September 24 REvil/Sodinokibi Ransomware Retrieved. 2021/04/12 ↩↩
-
Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ↩↩↩↩
-
Selena Larson, Camille Singleton 2020, December RANSOMWARE IN ICS ENVIRONMENTS Retrieved. 2021/04/12 ↩
-
Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021. ↩
-
Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. ↩
-
The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022. ↩