REvil’s Ransomware Success Formula: Constant Innovation

Affiliate-Driven Approach and Regular Malware Refinements Are Key, Experts Say

REvil's Ransomware Success Formula: Constant Innovation
Sodinokibi/REvil ransom note (Source: Malwarebytes)

Just as cloud services have taken the business world by storm, the same can be said for ransomware, including one of today’s most notorious strains: REvil. Also known as Sodinokibi and Sodin, REvil is a ransomware-as-a-service offering, which means a core group develops and maintains the ransomware code and makes it available to affiliates via a portal.

See Also: Live Panel | Zero Trusts Given- Harnessing the Value of the Strategy

Those affiliates and the core group of operators share in any profits that result from victims paying a ransom. Recent victims that have made payments include meat processor JBS, which paid $11 million in bitcoins.

Many security experts rank REvil among the most damaging and prevalent RaaS operations, alongside Conti, Dopplepaymer (aka Doppelpaymer), Maze offshoot Egregor and Ryuk.

A key to REvil’s success has been its use of skilled affiliates and their ability to successfully access and traverse increasingly large victims’ networks, infect endpoints – now including both Windows and Linux systems – and demand larger ransoms. REvil’s operators also maintain a data-leak portal and can also assist affiliates with ransomware negotiations, all of which is designed with one goal: To get victims to pay.

Affiliate Operations

Like other RaaS operations, REvil affiliates use a portal to generate fresh crypto-locking malware executables, with each designed to be just different enough from each other to make it difficult for security defenses to detect them.

After affiliates procure a new build of the malware, they use it to infect a victim and leave their files encrypted, except for a ransom note that demands anywhere from $50,000 to $50 million, according to security firm Group-IB.

How REvil and its affiliates operate (Source: Group-IB)

In 2019, every time a victim paid a ransom, the operator’s cut was 40%, dropping to 30% after an affiliate notched up three successful ransom payments. More recently, Group-IB says, the operator’s cut may have fallen to 25%. It also notes that as with some other RaaS operations, REvil’s core operators often handle negotiations with victims.

Experts say this this relatively specialized approach – an operator maintaining code and supporting services, and an affiliate infecting victims – has helped drive ongoing increases in the number of organizations being hit as well as the amount of ransom they’re paying. And REvil stands as one of the most successful such operations in recent years.

The Rise of REvil

REvil first appeared in April 2019, seemingly as a spinoff or offshoot of the GandCrab RaaS operation, which “retired” the following month.

The REvil operation quickly began racking up impressive profits, aided by relatively specialized affiliates wielding advanced network penetration skills, and targeting not just poorly secured remote desktop protocol connections but also exploiting unpatched remote-access software from Citrix and Pulse Secure.

Today, the REvil operation remains prolific, with recent big-name victims including JBS, computer maker Acer – REvil demanded a $50 million ransom – as well as University Medical Center of Southern Nevada and Apple equipment manufacturer Quanta, among many others.

The Sodinokibi/REvil dedicated “Happy Blog” data-leaking site attempts to name and shame victims into paying. It has sometimes also featured auctions for especially sensitive material, none of which have ever apparently attracted bidders. (Source: Kela)

On Thursday, REvil’s “Happy Blog,” where affiliates can name victims and post extracts of stolen data, listed four new victims: a U.S. manufacturer, a Spanish telecommunications firm, and a healthcare as well as construction firm from Brazil.

Distribution Tactics

How ransomware gets distributed continues to evolve, and REvil is no exception.

Targeting poorly secured RDP remains a common attack vector, as do phishing attacks. Recently, for example, “REvil affiliates have been seen using a spam campaign to deliver malicious documents and exploit kits targeting old vulnerabilities on unpatched machines as well as most recently through Qakbot,” writes Chad Anderson, a senior security researcher at cyber threat intelligence firm DomainTools, in a new research report.

Group-IB reports that in addition to using the Qakbot botnet – previously used by ProLock, Egregor and DoppelPaymer – REvil affiliates have also been using the IcedID botnet, which has been previously used by affiliates of Maze, Egregor and Conti. Of course, these affiliates may now be working also with REvil; experts say such relationships are rarely exclusive.

For REvil affiliates using Qakbot or IcedID, “both Trojans are distributed via massive spam campaigns,” Group-IB says. “A potential victim receives an email with a weaponized Microsoft Office document, and if it’s opened and malicious macros is enabled, the Trojan binary is downloaded and executed on the host.”

The move by REvil affiliates to use botnets makes sense financially; time is money. “With the speed at which many of these ransomware groups are now moving and the money involved, purchasing access from botnet operators into valuable victim networks is more effective than individual targeting of companies for most affiliates,” Anderson says.

Target Selection

Following the DarkSide operation’s hit on Colonial Pipeline Corp. in the U.S. in May, REvil and other gangs began prohibiting affiliates from hitting certain types of targets and also said they would require permission before deploying the malware against any organization. Experts say it’s not clear whether those are hard-and-fast rules or were simply issued as face-saving missives in light of growing geopolitical pressure on Moscow to crack down on ransomware operations based inside Russia.

In May, REvil instructed affiliates to avoid certain types of targets and to vet all potential targets first with operators. (Source: Group-IB)

When it comes to hitting targets, different REvil affiliates have different skillsets and strategies. “REvil affiliates didn’t always focus on big-game hunting,” Oleg Skulkin, a senior digital forensics analyst at cybersecurity firm Group-IB, writes in a new report.

He notes that last December, for example, at least some REvil affiliates were aiming for “companies with relatively small revenues” by using malvertising – injecting malicious code into legitimate advertising networks – “to trick victims into downloading an archive with a malicious JavaScript file.” If executed, the file “abuses Windows Command Prompt to run a malicious PowerShell command, which finally leads to REvil execution on the target host,” he says.

Post-Exploitation Tools

Regardless of the target size, some affiliates may bring more advanced hacking skills to bear. After gaining access to a victim’s network, for example, Group-IB says post-exploitation tools used by REvil affiliates often include Cobalt Strike, Metasploit, CrackMapExec, PowerShell Empire and Impacket.

“Usually, the threat actors use post-exploitation tools in a quite common way, so if you focus on regular command line arguments typical of Cobalt Strike, PowerShell Empire and others, you’ll most likely successfully detect them,” Skulkin says.

For example, security firm Sophos on Wednesday described a REvil attack in early June against a “mid-size media company” that it helped investigate, which came to light – and was disrupted – precisely because the organization detected the use of Cobalt Strike inside its network.

Technical Teardown: REvil Malware

Security experts say that like most types of ransomware, before crypto-locking a system, REvil first ensures that the system language isn’t set to any country inside the Commonwealth of Independent States, which includes Russia and Ukraine. If so, the malware will shut down (see: Russia’s Cybercrime Rule Reminder: Never Hack Russians).

If the malware proceeds, DomainTools’ Anderson says, it uses multiple tactics to improve its chance of success. “For instance, REvil samples will attempt to escalate privileges by constantly spamming the user with an administrator login prompt or will reboot into Windows Safe Mode to encrypt files, as antivirus software rarely runs in safe mode,” he says. “REvil uses the AES or Salsa20 encryption algorithms on victim files, which is a slightly unique signature.” REvil’s operators also appear to have implemented the encryption in a…

Read More:REvil’s Ransomware Success Formula: Constant Innovation