REvil
Associated Software Descriptions |
|
Name | Description |
---|---|
Sodin | (Citation: Intel 471 REvil March 2020)(Citation: Kaspersky Sodin July 2019) |
Sodinokibi | (Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: G Data Sodinokibi June 2019)(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Talos Sodinokibi April 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: McAfee REvil October 2019)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)(Citation: Tetra Defense Sodinokibi March 2020) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1134 | .001 | Access Token Manipulation: Token Impersonation/Theft |
REvil can obtain the token from the user that launched the explorer.exe process to avoid affecting the desktop of the SYSTEM user.(Citation: McAfee Sodinokibi October 2019) |
.002 | Access Token Manipulation: Create Process with Token |
REvil can launch an instance of itself with administrative rights using runas.(Citation: Secureworks REvil September 2019) |
||
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
REvil has used HTTP and HTTPS in communication with C2.(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Secureworks REvil September 2019) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
REvil has used PowerShell to delete volume shadow copies and download files.(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Talos Sodinokibi April 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
REvil can use the Windows command line to delete volume shadow copies and disable recovery.(Citation: Cylance Sodinokibi July 2019)(Citation: Talos Sodinokibi April 2019)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019) |
||
.005 | Command and Scripting Interpreter: Visual Basic |
REvil has used obfuscated VBA macros for execution.(Citation: G Data Sodinokibi June 2019)(Citation: Picus Sodinokibi January 2020) |
||
Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
REvil has encrypted C2 communications with the ECIES algorithm.(Citation: Kaspersky Sodin July 2019) |
Enterprise | T1480 | .002 | Execution Guardrails: Mutual Exclusion |
REvil attempts to create a mutex using a hard-coded value to ensure that no other instances of itself are running on the host.(Citation: SecureWorks September 2019) |
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
REvil can connect to and disable the Symantec server on the victim's network.(Citation: Cylance Sodinokibi July 2019) |
.009 | Impair Defenses: Safe Mode Boot |
REvil can force a reboot in safe mode with networking.(Citation: BleepingComputer REvil 2021) |
||
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
REvil can mark its binary code for deletion after reboot.(Citation: Intel 471 REvil March 2020) |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
REvil can mimic the names of known executables.(Citation: Picus Sodinokibi January 2020) |
Enterprise | T1027 | .011 | Obfuscated Files or Information: Fileless Storage |
REvil can save encryption parameters and system information in the Registry.(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Secureworks REvil September 2019) |
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
REvil has used encrypted strings and configuration files.(Citation: G Data Sodinokibi June 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019) |
||
Enterprise | T1069 | .002 | Permission Groups Discovery: Domain Groups |
REvil can identify the domain membership of a compromised host.(Citation: Kaspersky Sodin July 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Secureworks REvil September 2019) |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
REvil has been distributed via malicious e-mail attachments including MS Word Documents.(Citation: G Data Sodinokibi June 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Picus Sodinokibi January 2020) |
Enterprise | T1614 | .001 | System Location Discovery: System Language Discovery |
REvil can check the system language using |
Enterprise | T1204 | .002 | User Execution: Malicious File |
REvil has been executed via malicious MS Word e-mail attachments.(Citation: G Data Sodinokibi June 2019)(Citation: McAfee REvil October 2019)(Citation: Picus Sodinokibi January 2020) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0046 | FIN7 |
(Citation: CrowdStrike Carbon Spider August 2021) (Citation: Microsoft Ransomware as a Service) (Citation: IBM Ransomware Trends September 2020) (Citation: FBI Flash FIN7 USB) |
G0115 | GOLD SOUTHFIELD |
(Citation: Secureworks REvil September 2019) (Citation: Secureworks GandCrab and REvil September 2019) |
References
- Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020.
- Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
- Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
- Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020.
- Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020.
- Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
- Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.
- McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
- Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.
- Saavedra-Morales, J, et al. (2019, October 20). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo. Retrieved August 5, 2020.
- Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
- Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020.
- Abrams, L. (2021, March 19). REvil ransomware has a new ‘Windows Safe Mode’ encryption mode. Retrieved June 23, 2021.
- Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
- Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
- Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.
- The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022.
- SecureWorks 2019, September 24 REvil/Sodinokibi Ransomware Retrieved. 2021/04/12
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.