S0496 REvil
REvil is a ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ransomware-as-a-service (RaaS) since at least April 2019. REvil, which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.264
| Item | Value |
|---|---|
| ID | S0496 |
| Associated Names | Sodin, Sodinokibi |
| Type | MALWARE |
| Version | 2.0 |
| Created | 04 August 2020 |
| Last Modified | 21 April 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Sodin | 67 |
| Sodinokibi | 265731118109212 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1134 | Access Token Manipulation | - |
| enterprise | T1134.001 | Token Impersonation/Theft | REvil can obtain the token from the user that launched the explorer.exe process to avoid affecting the desktop of the SYSTEM user.8 |
| enterprise | T1134.002 | Create Process with Token | REvil can launch an instance of itself with administrative rights using runas.2 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | REvil has used HTTP and HTTPS in communication with C2.311862 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | REvil has used PowerShell to delete volume shadow copies and download files.11164 |
| enterprise | T1059.003 | Windows Command Shell | REvil can use the Windows command line to delete volume shadow copies and disable recovery.3192 |
| enterprise | T1059.005 | Visual Basic | REvil has used obfuscated VBA macros for execution.59 |
| enterprise | T1485 | Data Destruction | REvil has the capability to destroy files and folders.71188692 |
| enterprise | T1486 | Data Encrypted for Impact | REvil can encrypt files on victim systems and demands a ransom to decrypt the files.7311069212 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | REvil can decode encrypted strings to enable execution of commands and payloads.573862 |
| enterprise | T1189 | Drive-by Compromise | REvil has infected victim machines through compromised websites and exploit kits.28911 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | REvil has encrypted C2 communications with the ECIES algorithm.7 |
| enterprise | T1041 | Exfiltration Over C2 Channel | REvil can exfiltrate host and malware information to C2 servers.2 |
| enterprise | T1083 | File and Directory Discovery | REvil has the ability to identify specific files and directories that are not to be encrypted.7311862 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | REvil can connect to and disable the Symantec server on the victim’s network.3 |
| enterprise | T1562.009 | Safe Mode Boot | REvil can force a reboot in safe mode with networking.13 |
| enterprise | T1070 | Indicator Removal on Host | - |
| enterprise | T1070.004 | File Deletion | REvil can mark its binary code for deletion after reboot.6 |
| enterprise | T1105 | Ingress Tool Transfer | REvil can download a copy of itself from an attacker controlled IP address to the victim machine.189 |
| enterprise | T1490 | Inhibit System Recovery | REvil can use vssadmin to delete volume shadow copies and bcdedit to disable recovery features.73111869212 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | REvil can mimic the names of known executables.9 |
| enterprise | T1112 | Modify Registry | REvil can save encryption parameters and system information to the Registry.311862 |
| enterprise | T1106 | Native API | REvil can use Native API for execution and to retrieve active services.26 |
| enterprise | T1027 | Obfuscated Files or Information | REvil has used encrypted strings and configuration files.51186492 |
| enterprise | T1069 | Permission Groups Discovery | - |
| enterprise | T1069.002 | Domain Groups | REvil can identify the domain membership of a compromised host.782 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | REvil has been distributed via malicious e-mail attachments including MS Word Documents.53289 |
| enterprise | T1055 | Process Injection | REvil can inject itself into running processes on a compromised host.10 |
| enterprise | T1012 | Query Registry | REvil can query the Registry to get random file extensions to append to encrypted files.2 |
| enterprise | T1489 | Service Stop | REvil has the capability to stop services and kill processes.62 |
| enterprise | T1082 | System Information Discovery | REvil can identify the username, machine name, system language, keyboard layout, OS version, and system drive information on a compromised host.731188642 |
| enterprise | T1614 | System Location Discovery | - |
| enterprise | T1614.001 | System Language Discovery | REvil can check the system language using GetUserDefaultUILanguage and GetSystemDefaultUILanguage. If the language is found in the list, the process terminates.7 |
| enterprise | T1007 | System Service Discovery | REvil can enumerate active services.6 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | REvil has been executed via malicious MS Word e-mail attachments.5109 |
| enterprise | T1047 | Windows Management Instrumentation | REvil can use WMI to monitor for and kill specific processes listed in its configuration file.114 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0115 | GOLD SOUTHFIELD | 211 |
| G0046 | FIN7 | 141516 |
References
-
Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020. ↩↩↩↩↩↩
-
Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020. ↩↩↩↩↩↩↩↩↩↩↩
-
Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020. ↩↩↩↩↩
-
Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020. ↩↩↩↩↩↩
-
Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020. ↩↩↩↩↩↩↩↩↩↩↩
-
McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩
-
Saavedra-Morales, J, et al. (2019, October 20). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo. Retrieved August 5, 2020. ↩↩↩↩
-
Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩
-
Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020. ↩↩↩
-
Abrams, L. (2021, March 19). REvil ransomware has a new ‘Windows Safe Mode’ encryption mode. Retrieved June 23, 2021. ↩
-
Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021. ↩
-
Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. ↩
-
The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022. ↩