REvil

AttributeValue
NameREvil
AliasesSodinokibi
Sodin
TypeRnasomware
Country of OriginRussia
State Sponsored[]Unknown [x] Unconfirmed [] Confirmed
Active SinceApril 2019
Discovered byCisco Talos
Target CountriesAll countries except Syria, Commonwealth of Independent States (CIS), which includes Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine and Uzbekistan. Main targets are US, Australia, Canada, Finland, and Hong Kong
Target OrganizationsProfessional and legal services, manufacturing, media and communication, wholesale and retail, construction and engineering, and energy sectors.
Organization Size
First discoveredApril 2019
Tools
TacticRansomware-as-a-Service (RaaS), which uses affiliates to distribute infections of the malware. The affiliates would then get a percentage of the ransoms paid after developers of the ransomware got their cut.
TechniqueThe computer code behind the massive ransomware attack by the Russian-speaking hacking ring REvil was written so that the malware avoids systems that primarily use Russian or related languages,
ProceduresSodinokibi is ransomware that encrypts all the files on local drives except for those that are listed in their configuration file.

We see Ransom.Sodinokibi being dropped by variants of Trojan.MalPack.GS that previously used to drop Ransom.GandCrab.

Targeted files have the extensions .jpg, .jpeg, .raw, .tif, .png, .bmp, .3dm, .max, .accdb, .db, .mdb, .dwg, .dxf, .cpp, .cs, .h, ,php, .asp, .rb, .java, .aaf, .aep, .aepx, .plb, .prel, .aet, .ppj, .gif, and .psd.
Organizations AttackedREvil Kaseya Ransomware Attack

JBS Foods