Attribute | Value |
---|---|
Name | REvil |
Aliases | Sodinokibi Sodin |
Type | Rnasomware |
Country of Origin | Russia |
State Sponsored | []Unknown [x] Unconfirmed [] Confirmed |
Active Since | April 2019 |
Discovered by | Cisco Talos |
Target Countries | All countries except Syria, Commonwealth of Independent States (CIS), which includes Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine and Uzbekistan. Main targets are US, Australia, Canada, Finland, and Hong Kong |
Target Organizations | Professional and legal services, manufacturing, media and communication, wholesale and retail, construction and engineering, and energy sectors. |
Organization Size | |
First discovered | April 2019 |
Tools | |
Tactic | Ransomware-as-a-Service (RaaS), which uses affiliates to distribute infections of the malware. The affiliates would then get a percentage of the ransoms paid after developers of the ransomware got their cut. |
Technique | The computer code behind the massive ransomware attack by the Russian-speaking hacking ring REvil was written so that the malware avoids systems that primarily use Russian or related languages, |
Procedures | Sodinokibi is ransomware that encrypts all the files on local drives except for those that are listed in their configuration file. We see Ransom.Sodinokibi being dropped by variants of Trojan.MalPack.GS that previously used to drop Ransom.GandCrab. Targeted files have the extensions .jpg, .jpeg, .raw, .tif, .png, .bmp, .3dm, .max, .accdb, .db, .mdb, .dwg, .dxf, .cpp, .cs, .h, ,php, .asp, .rb, .java, .aaf, .aep, .aepx, .plb, .prel, .aet, .ppj, .gif, and .psd. |
Organizations Attacked | REvil Kaseya Ransomware Attack JBS Foods |