Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент REvil
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
REvil
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

REvil

REvil is a ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ransomware-as-a-service (RaaS) since at least April 2019. REvil, which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)
ID: S0496
Associated Software: Sodin Sodinokibi
Type: MALWARE
Platforms: Windows
Version: 2.0
Created: 04 Aug 2020
Last Modified: 24 May 2022

Associated Software Descriptions
Name Description
Sodin (Citation: Intel 471 REvil March 2020)(Citation: Kaspersky Sodin July 2019)
Sodinokibi (Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: G Data Sodinokibi June 2019)(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Talos Sodinokibi April 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: McAfee REvil October 2019)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)(Citation: Tetra Defense Sodinokibi March 2020)

Techniques Used
Domain ID Name Use
Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

REvil can obtain the token from the user that launched the explorer.exe process to avoid affecting the desktop of the SYSTEM user.(Citation: McAfee Sodinokibi October 2019)
.002 Access Token Manipulation: Create Process with Token

REvil can launch an instance of itself with administrative rights using runas.(Citation: Secureworks REvil September 2019)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

REvil has used HTTP and HTTPS in communication with C2.(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Secureworks REvil September 2019)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

REvil has used PowerShell to delete volume shadow copies and download files.(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Talos Sodinokibi April 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)
.003 Command and Scripting Interpreter: Windows Command Shell

REvil can use the Windows command line to delete volume shadow copies and disable recovery.(Citation: Cylance Sodinokibi July 2019)(Citation: Talos Sodinokibi April 2019)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)

.005 Command and Scripting Interpreter: Visual Basic

REvil has used obfuscated VBA macros for execution.(Citation: G Data Sodinokibi June 2019)(Citation: Picus Sodinokibi January 2020)

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

REvil has encrypted C2 communications with the ECIES algorithm.(Citation: Kaspersky Sodin July 2019)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

REvil can connect to and disable the Symantec server on the victim's network.(Citation: Cylance Sodinokibi July 2019)
.009 Impair Defenses: Safe Mode Boot

REvil can force a reboot in safe mode with networking.(Citation: BleepingComputer REvil 2021)

Enterprise T1070 .004 Indicator Removal: File Deletion

REvil can mark its binary code for deletion after reboot.(Citation: Intel 471 REvil March 2020)
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

REvil can mimic the names of known executables.(Citation: Picus Sodinokibi January 2020)
Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

REvil can identify the domain membership of a compromised host.(Citation: Kaspersky Sodin July 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Secureworks REvil September 2019)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

REvil has been distributed via malicious e-mail attachments including MS Word Documents.(Citation: G Data Sodinokibi June 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Picus Sodinokibi January 2020)
Enterprise T1614 .001 System Location Discovery: System Language Discovery

REvil can check the system language using GetUserDefaultUILanguage and GetSystemDefaultUILanguage. If the language is found in the list, the process terminates.(Citation: Kaspersky Sodin July 2019)

Enterprise T1204 .002 User Execution: Malicious File

REvil has been executed via malicious MS Word e-mail attachments.(Citation: G Data Sodinokibi June 2019)(Citation: McAfee REvil October 2019)(Citation: Picus Sodinokibi January 2020)

Groups That Use This Software
ID Name References
G0046 FIN7

(Citation: IBM Ransomware Trends September 2020) (Citation: CrowdStrike Carbon Spider August 2021) (Citation: FBI Flash FIN7 USB)

G0115 GOLD SOUTHFIELD

(Citation: Secureworks REvil September 2019) (Citation: Secureworks GandCrab and REvil September 2019)

References

  1. Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020.
  2. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  3. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
  4. Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020.
  5. Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020.
  6. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
  7. Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.
  8. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
  9. Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.
  10. Saavedra-Morales, J, et al. (2019, October 20). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo. Retrieved August 5, 2020.
  11. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
  12. Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020.
  13. Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.
  14. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  15. The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022.
  16. Abrams, L. (2021, March 19). REvil ransomware has a new ‘Windows Safe Mode’ encryption mode. Retrieved June 23, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.