The REvil ransomware

REvil (Ransomware Evil, also known as Sodinokibi) is a Russian-speaking private Ransomware-as-a-Service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page (Happy Blog) unless the ransom was received.

In a high-profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products.


The story of REvil

REvil recruits affiliates to distribute the ransomware for them. 

As part of this arrangement, the affiliates and ransomware developers split the revenue generated from ransom payments. 

It is difficult to pinpoint their exact location, but it suppose to be based in Russia due to the fact that the group does not target Russian organizations, or those in former Soviet-bloc countries. 

Ransomware code used by REvil resembles the code used by DarkSide, a different hacking group.

REvil’s code is not publicly available, suggesting that DarkSide is an offshoot of REvil or a partner of it. 

REvil and DarkSide use similarly structured ransom notes and the same code to check that the victim is not located in a Commonwealth of Independent States (CIS) country. 

Cybersecurity experts believe REvil is an offshoot from a previous notorious, but now-defunct hacker gang, GandCrab. 

This is suspected due to the fact that REvil first became active directly after GandCrab shutdown, and that the ransomware both share a significant amount of code.


The attacks of REvil

The ransomware gang known as REvil has been around for years, and according to various estimates, 42% of all recent ransomware attacks are attributable to them.

In the first half of 2021, the gang hit at least 1,000 companies by attacking software company Kaseya. It was one of the largest ransomware campaigns ever conducted. 

During the same period, REvil also hit meat supplier JBS and demanded payment of $11 million.

In another major case, REvil reserved itself for a supplier of the tech giant Apple and stole the blueprints of their upcoming products.


The features of REvil

The ransomware has no particular obfuscation techniques except for the imported API functions and strings.

The latter are extracted using a huge buffer made up of a series of RC4 key pairs and related encrypted data.

From what was observed during the CERT-AgID analysis, the first action performed by the ransomware is precisely to decrypt its configuration: it is a JSON string encrypted with RC4 using a fixed and clear key.

Among the information contained in the JSON, which mainly concerns the technical instructions (extensions, processes to be blocked, etc.), there is also a list of domains (C2) used by the malware to notify that that particular machine has been successfully compromised.

The data passed to C2 also indicates whether the target on which you are working is to be attacked or not (key “bro”).

It is interesting to note that the list of C2, which are assumed to be all compromised domains, includes 8 Italian ones.

The ransomware collects information about the machine (username, computer name, domain or workgroup and reads the free space and volumes present) and defuses itself if the keyboard layout or system language corresponds to a former USSR country or Syria.

From the decoded strings it was possible to trace the parameters that can be passed to the ransomware from the command line.

These include the ability to encrypt a specific path on the disk or to avoid encryption of shared folders or even the safeboot mode.

The “Smode” mode (safeboot mode) is activated with the -smode parameter, in this case the ransomware sets the current user’s password as “DTrump4ever”, configures the auto-logon and enables the safe mode with network before proceeding with system reboot.


Tips to defend yourself

Monitor and respond to alerts: ensure that tools, processes and resources (people) are available to monitor, investigate and respond to threats detected in the environment.

Set and enforce strong passwords: strong passwords are one of the first lines of defense. Passwords must be unique or complex and never reused.

Multi Factor Authentication (MFA): multi-factor authentication is a useful tool to protect access to critical resources such as e-mail, remote management tools and network resources.

Block accessible services: it is necessary to scan the network of your organization from the outside, identify and block the ports usually used by VNC, RDP or other remote access tools.

Segmentation and Zero-Trust: separate servers from each other and from workstations by placing them in separate VLANs while working on a zero-trust network model.

Take offline backups of information and applications: keep them up to date and keep an offline copy.

Take inventory of your assets and accounts: unsecured and unpatched devices on the network increase the risk and create a situation in which malicious activities could go unnoticed.

Install multi-layered protection to block attackers in as many places as possible and extend that security to all allowed endpoints on your network.

Product configuration: it is important to ensure that security solutions are configured correctly and to update policies regularly.

Keep Windows and other software up to date: this allows you to check that the patches have been installed correctly and, in particular, are present for critical systems such as machines with an Internet connection or domain controllers.