REvil – Tactics, Techniques, Procedures

APT Name: REvil

APT Aliases:

  • Sodinokibi
  • Sodin

APT Type: Ransomware

APT Country: Russia

APT State-Sponsored:

  • [ ] Unknown
  • [x] Unconfirmed
  • [ ] Confirmed

Active Since: April 2019

Discovered by: Cisco Talos

Target Countries: All countries except Syria, Commonwealth of Independent States (CIS), which includes Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine and Uzbekistan. Main targets are US, Australia, Canada, Finland, and Hong Kong

Target Organizations: Professional and legal services, manufacturing, media and communication, wholesale and retail, construction and engineering, and energy sectors.

Organization Size:

First Discovered: April2019

Tools:

Tactic:

  • Ransomware-as-a-Service (RaaS), which uses affiliates to distribute infections of the malware. The affiliates would then get a percentage of the ransoms paid after developers of the ransomware got their cut.

Techniques:

  • The computer code behind the massive ransomware attack by the Russian-speaking hacking ring REvil was written so that the malware avoids systems that primarily use Russian or related languages,

Procedures:

  • Sodinokibi is ransomware that encrypts all the files on local drives except for those that are listed in their configuration file.
  • We see Ransom.Sodinokibi being dropped by variants of Trojan.MalPack.GS that previously used to drop Ransom.GandCrab.
  • Targeted files have the extensions .jpg, .jpeg, .raw, .tif, .png, .bmp, .3dm, .max, .accdb, .db, .mdb, .dwg, .dxf, .cpp, .cs, .h, ,php, .asp, .rb, .java, .aaf, .aep, .aepx, .plb, .prel, .aet, .ppj, .gif, and .psd.

Organizations Attacked: