niiconsulting.com Open in urlscan Pro
2606:4700:3035::ac43:96ec Public Scan

Back to summary

Submitted URL:
https://bit.ly/Blog-REvilRansomware
Effective URL:
https://niiconsulting.com/checkmate/2021/08/revealing-revil/
Submission: On September 07 via api (September 7th 2021, 1:35:53 am UTC) from SG

Form analysis
3 forms found in the DOM

<form id="commentform" class="comment-form">
  <iframe title="Comment Form"
    src="https://jetpack.wordpress.com/jetpack-comment/?blogid=9704473&amp;postid=4039&amp;comment_registration=0&amp;require_name_email=1&amp;stc_enabled=1&amp;stb_enabled=1&amp;show_avatars=1&amp;avatar_default=mystery&amp;greeting=Leave+a+Comment&amp;greeting_reply=Leave+a+Reply+to+%25s&amp;color_scheme=light&amp;lang=en_US&amp;jetpack_version=8.4.3&amp;show_cookie_consent=10&amp;has_cookie_consent=0&amp;token_key=%3Bnormal%3B&amp;sig=a6693f70b6ce9acce58097a2f38b5ba40c9dd866#parent=https%3A%2F%2Fniiconsulting.com%2Fcheckmate%2F2021%2F08%2Frevealing-revil%2F"
    style="width:100%; height: 430px; border:0;" name="jetpack_remote_comment" class="jetpack_remote_comment" id="jetpack_remote_comment" sandbox="allow-same-origin allow-top-navigation allow-scripts allow-forms allow-popups" scrolling="no"></iframe>
  <!--[if !IE]><!-->
  <script>
    document.addEventListener('DOMContentLoaded', function() {
      var commentForms = document.getElementsByClassName('jetpack_remote_comment');
      for (var i = 0; i < commentForms.length; i++) {
        commentForms[i].allowTransparency = false;
        commentForms[i].scrolling = 'no';
      }
    });
  </script>
  <!--<![endif]-->
  <input id="ak_js" name="ak_js" type="hidden" value="1630978531504">
</form>

GET https://niiconsulting.com/checkmate/

<form role="search" method="get" class="search-form" action="https://niiconsulting.com/checkmate/">
  <label>
    <span class="screen-reader-text">Search for:</span>
    <input type="search" class="search-field" placeholder="Search …" value="" name="s">
  </label>
  <input type="submit" class="search-submit" value="Search">
</form>

POST #

<form action="#" method="post" accept-charset="utf-8" id="subscribe-blog-blog_subscription-4">
  <div id="subscribe-text">
    <p>Enter your email address to subscribe to this blog and receive notifications of new posts by email.</p>
  </div>
  <p>Join 109 other subscribers</p>
  <p id="subscribe-email">
    <label id="jetpack-subscribe-label" class="screen-reader-text" for="subscribe-field-blog_subscription-4"> Email Address </label>
    <input type="email" name="email" required="required" class="required" value="" id="subscribe-field-blog_subscription-4" placeholder="Email Address">
  </p>
  <p id="subscribe-submit">
    <input type="hidden" name="action" value="subscribe">
    <input type="hidden" name="source" value="https://niiconsulting.com/checkmate/2021/08/revealing-revil/">
    <input type="hidden" name="sub-type" value="widget">
    <input type="hidden" name="redirect_fragment" value="blog_subscription-4">
    <button type="submit" name="jetpack_subscriptions_widget"> Subscribe </button>
  </p>
</form>

Text Content

MENU
* Home
* NII Home
* About Us
* Services
* Products ►
* FireSec
* BlueScope
* Research
* Get Blog Updates

* Home
* NII Home
* About Us
* Services
* Products
* FireSec
* BlueScope
* Research
* Get Blog Updates

REVEALING REVIL

August 26, 2021 Nilesh Bhamare Reading, Uncategorized 0

An Overview of the most dreaded ransomware in recent times

RESURGENCE OF RANSOMWARE

In April 2019, the Cybereason Nocturnus team encountered several target machines
infected with a ransomware called Sodinokibi, which spread via links to zip
files containing malicious.

Sodinokibi (aka Sodin aka REvil) is installed on machines by exploiting an
Oracle WebLogic vulnerability (CVE-2019-2725) and it propagates through exploit
kits and spam.

In this blog, we explain present a technical analysis of the REvil ransomware,
focusing on the delivery method and the defense mechanisms employed by the
malware authors to evade anti-virus detection.

This malware is yet another sign of a resurgence of the ransomware threats,
which we have been tracking for many years. The resurgence is corroborated by
the fact that ransomware attack payments have doubled in the second quarter of
this year.

In our analysis, we have observed interesting similarities between REvil and
GrandCrab ransomware. Furthermore, reports by other security researchers also
found similarities between the two ransomware. Interestingly, GrandCrab
operators had claimed in June 2019 that they are retiring and discontinuing
their operations.

HOW REVIL WORKS

REvil is typically deployed through human-operated ransomware campaigns, similar
to Ryuk and WastedLocker. After breaking in, hackers use various tools and
techniques to map the network, perform lateral movement, obtain domain
administrator privileges, and deploy ransomware on all the computers to maximize
the impact.

The initial access vectors can vary – from phishing emails with malicious
attachments to compromised RDP (Remote Desktop Protocol) credentials and the
exploitation of vulnerabilities in various public-facing services. Last year,
REvil hackers gained access to systems by exploiting a known vulnerability in
Oracle Weblogic (CVE-2019-2725).

According to Coveware’s report, REvil is distributed primarily through the
following vectors:

It is also believed that many REvil affiliates use brute force attacks to
compromise RDP.

WHAT HAPPENS DURING A REVIL ATTACK

REvil stands apart from other ransomware programs by using Elliptic-curve
Diffie-Hellman key exchange instead of RSA (Rivest-Shamir-Adleman) and Salsa20
instead of AES (Advanced Encryption Standard) to encrypt files. These
cryptographic algorithms use shorter keys, are highly efficient, and are near
impossible to crack if implemented correctly.

The initial infection vector used by the threat actor is a phishing email
containing a malicious link. When accessed, the link downloads a malicious zip
file. REvil/Sodinokibi zip files have a very low detection rate on VirusTotal,
suggesting that most antivirus vendors do not flag the initial payload as
malicious.

The zip file contains an obfuscated JavaScript file.

Fig: Obfuscated JavaScript file

When the user double clicks on the JavaScript file, WScript executes it.

Fig: WScript executing malicious JavaScript

The JavaScript file de-obfuscates the PowerShell script and saves it in the temp
directory.

Next, the PowerShell script decodes an additional script that is Base64-encoded
and executes it. The decoded script contains a .NET module also encoded with
Base64, which is subsequently decoded and loaded into the PowerShell process
memory.

REvil terminates processes like winword.exe, execel.exe, powerpt.exe,
onenote.exe, wordpad.exe, outlook.exe, thunderbird.exe, firefox.exe, etc.

REVIL ALSO TERMINATES SERVICES SUCH AS:

* Mepoc.exe – Belongs to product MailEnable Postoffice Connector Service
developed by the company, MailEnable Pty Ltd. This file usually has the
description, MailEnable Postoffice Connector Service.
* vssvc.exe – Manages and implements Volume Shadow Copies used for backup and
other purposes. If this service is stopped, shadow copies will be unavailable
for backup, and the backup may fail.
* memtas.exe – memta.exe is a process belonging to MailEnable from MailEnable
Pty Ltd.
* veeam.exe – Veeam Endpoint Backup Software developed by Veeam Software AG
software developer.
* SQL server related services
* viprePPLSvc.exe – viprePPLSvc.exe is a part of VIPRE and developed by VIPRE
Security
* kavfsscs.exe – kavfsscs.exe is known as Kaspersky Anti-Virus for Windows
Servers Enterprise Edition.

REvil encrypts all files on local drives except those listed in its
configuration file.

RANSOM REQUEST

New wallpaper after ransomware encrypts the file

The ransom note for the ransomware

HOW TO MITIGATE/DEFEND AGAINST REVIL

One of the signals of intrusion by REvil Sodinokibi is to detect the presence of
terminals configured in different languages like those mentioned in the below
table.

Azerbaijani
LatinGeorgianTartarRomanianAzeriKazakhKyrgyzstanTurkmenUzbekUkrainianRussianBelarusianTajikArmenianSyriacSyrian
Arab

If such an attack occurs, the organization needs to conduct a digital
investigation activity through an Incident Response Team to identify payload and
malicious artifacts within the corporate network.

Organizations should always secure their remote access with strong credentials
and two-factor authentication. They should consider making such services
available over VPN only. All publicly exposed servers, applications, and
appliances should be regularly updated and scanned for vulnerabilities,
misconfiguration, and suspicious behavior. Brute force protection that blocks
excessive login attempts with the wrong credentials should also be enabled
wherever possible.

ACTION STEPS

Following actions are required inside local networks to defend against the
attack.

AN EVOLVING THREAT

Since April 2019, the REvil/Sodinokibi ransomware has become prolific and
evolved into the world’s most widespread and destructive ransomware. It has
since gone through several minor updates, and we assess that its industrious
authors will continue to develop the ransomware, adding more features and
improving its evasive capabilities.

REFERENCES

https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack

> Sodinokibi Ransomware

https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-2-billion/

https://www.malwarebytes.com/ryuk-ransomware/

> WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group

> New ‘Sodinokibi’ Ransomware Exploits Critical Oracle WebLogic Flaw

https://www.csoonline.com/article/3597298/revil-ransomware-explained-a-widespread-extortion-operation.html

https://blogs.blackberry.com/en/2021/05/threat-thursday-dr-revil-ransomware-strikes-again-employs-double-extortion-tactics

https://en.wikipedia.org/wiki/Salsa20#:~:text=From%20Wikipedia%2C%20the%20free%20encyclopedia,The%20Salsa%20quarter%2Dround%20function.

https://en.wikipedia.org/wiki/RSA_(cryptosystem)

Nilesh Bhamare

Nilesh is a cybersecurity expert specializing in malicious emails and malware.
Nilesh has nine years of experience in malware analysis with different
Anti-Virus vendors with a passion for investigating cyber threats and analyzing
new malwares. When not tinkering with malwares, Nilesh enjoys cycling, Sci-Fi
movies, fishkeeping, and gardening.

TECHNICAL ANALYSIS OF DEARCRY RANSOMWARE

Note: This is a technical deep-dive into DearCry ransomware. If you want a
preliminary analysis of the ransomware, you can find it here. The Network
Intelligence team initiated a Static analysis of the ransomware sample we
received. The team used a tool called PEstudio, which helps in the static
analysis…

DEARCRY MAKES ORGANISATIONS CRY

Note: We have also done a technical analysis on DearCry. Read here. It’s a warm
summer morning. While sipping your morning coffee, you access the work email.
But you’re unable to log in. After trying a few tricks you’ve read up in some
tech blogs, you reach out to your…

CYBERSECURITY THREATS AT THE OLYMPICS

With more than 11,000 athletes from 206 countries participating, the world is
watching the delayed Tokyo 2020 Olympic Games with great enthusiasm. But,
unfortunately, while the Olympics showcases the very best in sporting talent, it
also has a history of attracting cybersecurity threats from those seeking to
cause politically motivated…

*
*
*
*
*
*
*

* Ransomware
* revil

BE THE FIRST TO COMMENT

niiconsulting.com Open in urlscan Pro 2606:4700:3035::ac43:96ec Public Scan

Form analysis 3 forms found in the DOM

GET https://niiconsulting.com/checkmate/

POST #

Text Content

niiconsulting.com Open in urlscan Pro
2606:4700:3035::ac43:96ec Public Scan

Form analysis
3 forms found in the DOM