APT Name: REvil
APT Aliases:
- Sodinokibi
- Sodin
APT Type: Ransomware
APT Country: Russia
APT State-Sponsored:
- [ ] Unknown
- [x] Unconfirmed
- [ ] Confirmed
Active Since: April 2019
Discovered by: Cisco Talos
Target Countries: All countries except Syria, Commonwealth of Independent States (CIS), which includes Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine and Uzbekistan. Main targets are US, Australia, Canada, Finland, and Hong Kong
Target Organizations: Professional and legal services, manufacturing, media and communication, wholesale and retail, construction and engineering, and energy sectors.
Organization Size:
First Discovered: April2019
Tools:
Tactic:
- Ransomware-as-a-Service (RaaS), which uses affiliates to distribute infections of the malware. The affiliates would then get a percentage of the ransoms paid after developers of the ransomware got their cut.
Techniques:
- The computer code behind the massive ransomware attack by the Russian-speaking hacking ring REvil was written so that the malware avoids systems that primarily use Russian or related languages,
Procedures:
- Sodinokibi is ransomware that encrypts all the files on local drives except for those that are listed in their configuration file.
- We see Ransom.Sodinokibi being dropped by variants of Trojan.MalPack.GS that previously used to drop Ransom.GandCrab.
- Targeted files have the extensions .jpg, .jpeg, .raw, .tif, .png, .bmp, .3dm, .max, .accdb, .db, .mdb, .dwg, .dxf, .cpp, .cs, .h, ,php, .asp, .rb, .java, .aaf, .aep, .aepx, .plb, .prel, .aet, .ppj, .gif, and .psd.
Organizations Attacked:
- REvil Kaseya Ransomware Attack
- JBS Foods