Active since 2019, the actors behind Sodinokibi, also known as REvil, are one of the most prolific ransomware groups currently operating. Believed to have Russian origins, the REvil gang avoids targeting Eastern European companies. The group extorts payment from victims by publishing confidential documents on the dark web for anyone to view. Even companies who are not hit directly by this group risk losing sensitive data if a member of their supply chain hosts/stores sensitive data on the supply chain network.
The REvil group was first observed spreading ransomware by researchers in mid 2019. The group evolved from the now defunct GandCrab ransomware gang. They rose to prominence in the months after GandCrab shutdown. Moreover, the malware utilized by REvil is closely linked to that employed by GrandCrab. REvil currently ranks among the top 5 most prolific ransomware gangs.
The REvil group is known to employ a variety of methods to obtain initial access. Tactics vary from phishing emails, RDP brute forcing, and exploitation of unpatched vulnerabilities. Most recently, REvil made headlines by exploiting the novel Microsoft Exchange vulnerability to compromise the Taiwanese computer manufacturing company Acer. The variety of attacks used by this group suggest a high level of sophistication.
In a typical intrusion, REvil leverages malicious Word or Excel document macros to download and execute a trojan, for example IcedID bot (BokBot). Once an initial foothold is achieved, the REvil group establishes persistence before conducting reconnaissance of the internal network.
REvil has been observed utilizing Cobalt Strike to aid in lateral movement and actions on the objective. Cobalt Strike is a popular command and control (C2) framework used by both penetration testers and black hat hackers alike.
Similar to the tactics employed by most ransomware gangs, REvil proceeds to conduct further reconnaissance and lateral movement until sufficient privileges are obtained to compromise the domain controller. REvil utilizes SMB and PowerShell to move laterally throughout a network. Once on the domain controller, REvil conducts further post-exploitation enumeration to fully map out the internal network. At this point, it is believed REvil exfiltrates confidential documents to publish online in order to extort a ransom payment.
At this stage of an intrusion, REvil group deploys ransomware to the whole domain via native Windows tools from the domain controller. Recent versions of the REvil ransomware reboots infected computers into Safe Mode with Networking prior to encrypting the contents of the hard drive. Rebooting into Safe Mode prevents endpoint detection and antivirus software from running and potentially stopping encryption.
Ransome notes left on infected computers contain information on how to contact the REvil group and a link to their darknet dump site. Moreover, REvil lists the ransom price, insisting that if payment is not delivered in 7 days, the price will double. If the ransom is not paid, REvil puts the information up for auction before eventually publicly dumping the lot.
REvil is one of the most active ransomware gangs. At the time of writing, 178 organizations have fallen victim to REvil intrusions. The amount of ransom demanded by REvil varies depending on what the gang believes the victim can afford. Sources report the lowest demand was less than $1,000 with the highest demand being $40,000,000. REvil seems to indiscriminately target vulnerable organizations. Their dump site contains construction companies, educational institutions, and healthcare services.
As previously mentioned, if a ransom is not paid, REvil puts the information up for auction on their site.
Auction price on the REvil dump site also vary depending on company size. Smaller companies minimum deposit ranges from $500 to $1,000 while larger companies require a deposit ranging from $60,000 to $100,000. Unlike other ransomware groups, REvil only accepts the cryptocurrency Monero for payments as opposed to Bitcoin. To participate in these auctions, users must register separately for each auction they are interested in bidding for. Next, users will deposit 10% of the starting price, this is to ensure all bidders are serious about paying for the stolen documents. At the end of the auction, all bidders will receive their initial deposit back unless they are the winner, in which case that initial deposit will contribute toward the final bid payment.
REvil is currently one of the most active ransomware groups and shows no sign of slowing in the coming months. By leveraging a variety of initial access method, this group demonstrates a high level of sophistication. Organizations need to remain up to date on emerging cyber threats to prevent falling prey to REvil and similar groups.
Red Sky Alliance has been has analyzing and documenting these type of cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge. Many past tactics are often dusted off and reused in current malicious campaigns.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings: