REvil

1. Introduction

This module provides an overview of REvil ransomware, including demonstrating the malware being executed on a Windows OS.

2. What is REvil?

REvil (Ransomware Evil) is a provider of Ransomware-as-a-Service (RaaS) that first appeared in early 2019. It is believed to be run by a cybercriminal gang operating out of Russia. Despite only appearing in recent years, their ransomware tools are built on top of an older code base that the gang acquired.

REvil is maintained by the cybercriminal group while the consumer group (known as affiliates) is responsible for disseminating the malware. A review of the statistics of ransomware in 2021 found that the REvil group was behind 25% of all reported ransomware attacks that year.

There have been several high-profile attacks recently that the REvil group has claimed responsibility for, such as:

• In May 2021, JBS SA, the world's largest meat processing company had to shut down all US processing plants as they were affected by a ransomware attack. The organization's CEO confirmed that they paid the $11 million ransom payment in Bitcoin to the REvil cybercriminal gang.

• In July 2021, Kaseya, a worldwide IT infrastructure that supplies managed service providers, was the victim of a REvil ransomware attack, in which ransomware was delivered in the form of an auto-update to the organization and a reported 1500 downstream customer endpoints. The REvil group initially requested a ransom of $70 million, however, Kaseya confirmed that they didn't make the payment.

Ransomware-as-a-service (RaaS) subscription tools such as REvil are usually purchased by malicious actors who don't have the expertise to code and architect ransomware tools and therefore spend their time identifying networks that they could exploit and spread the infection for monetary gain (or, ransom).

The REvil operators take the standard RaaS model a step further by stealing and exfiltrating the data from the organization before encrypting it — this allows them to threaten to leak the stolen data which applies more pressure when extorting larger ransom payments after the data has been fully encrypted.

RaaS works on a subscription-based model and allows affiliate groups to purchase already created REvil tools to perform ransomware campaigns on their chosen organizations. The affiliate group then receives a percentage of the ransom that is ultimately paid by the victim organization.

3. Typical Attack Vectors

An attack vector is a method that a threat actor could take to gain unauthorized access to an organization's network and spread an infection through the delivery of a malicious payload. REvil affiliate groups have exploited the following attack vectors to gain an initial foothold in their target's environment and lay the foundations for their attack.

Phishing Emails

Hackers craft emails that appear to be legitimate to the recipient, however, they actually contain a malicious attachment or a direct link to a legitimate website that has been compromised and therefore have the potential to deliver ransomware to the system receiving the email.

Remote Desktop Protocol (RDP)

• Misconfigured Systems: Many organizations leave RDP ports open to the internet without understanding the associated risk this has to their network. An attacker can scan the environment to identify if there are any public facing systems that have RDP ports open to the internet, therefore allowing them to attempt a brute force attack to gain an initial foothold in the environment.

• Brute Force Entry: From carrying out port scanning reconnaissance on a network that results in the identification of an RDP port open to the internet, the malicious actor could begin to execute a distributed brute force attack against the hosts identified. A brute force attack is a relatively simplistic attack vector in that the threat actor attempts to guess the RDP password to gain access to the systems. Then, if successful, they begin making the system vulnerable and attempt to propagate malware into the network.

Malvertising

Malvertising involves a legitimate website that is unknowingly hosting a truly malicious advertisement. The host system is usually required to click on the unsafe advertisement that will then launch an attack and begin to install the malware onto the host. It is possible to enhance this attack vector by automatically redirecting visitors from a compromised (but legitimate) site towards a malicious site containing an exploit kit — this fully automates the attack by always redirecting the visitor to the malicious site without requiring any user interaction.

Exploit Kits

Exploit kits are web applications that will scan visitor systems for any web-based vulnerabilities that they might be able to exploit while the host system is web browsing. The user believes that they are browsing a legitimate website, but in fact, the site has been compromised and they have been diverted to a malicious site known as a landing page. The landing page will kick start a scan on the host to identify any present vulnerabilities and decide whether the kit moves onto the next stage of the attack. If no vulnerabilities are found and the system is fully patched, all malicious traffic halts and the kit does not carry out any further actions. If there are vulnerabilities identified, the exploit kit will begin to run malware on the host that was able to exploit the identified vulnerabilities.

The REvil payload has mainly been observed using a known privilege escalation exploit, with the goal of gaining system-level privileges. Without the threat actor gaining system-level privileges, the payload would be incapable of conducting its attack sequence to exfiltrate data from the environment and then encrypt the files.

4. Attacker TTPs

• Data Encrypted for Impact (T1486): Encrypting files within the victim organization and then extorting a ransomware payment for the decryption key. Files are encrypted with the elliptic curve cryptography approach which uses asymmetric cryptography to ensure that it is impossible to reverse engineer the encryption algorithm and break the encryption of the impacted files.

• Drive-by Compromise (T1189): Infecting a legitimate website, where visitors will then be exploited during their regular browsing activities.

• System Information Discovery (T1082): Gathering details on systems and hosts during automated discoveries to help plan the next steps of the attack. The knowledge that is discovered through these searches is then used in the actors following behaviors.

• Service Stop (T1489): Stopping and disabling services to a machine, which can prevent the legitimate user from responding to an attack as the system becomes unusable. This is usually followed by encryption of the data.

• Phishing (T1566): Legitimate users receiving emails from malicious actors containing malicious attachments or diversion links to deliver the ransomware.

• Inhibit System Recovery (T1490): Windows utilities can be used by malicious actors to delete the volume shadow copies on a machine.

As well as the above techniques, REvil ransomware will exfiltrate files to a dedicated leak site as an extortion tactic against the victim organization. Then, the original files are encrypted as a double extortion tactic. Even if the victim has backup files and accepts the loss of the files that have been encrypted, this extortion method forces them to re-consider not paying the ransom as the data on the dedicated leak site may be highly sensitive.

After this malware is executed, it creates a fingerprint profile of the host it is compromising by gathering a range of information such as computer name, product name, OS name and version, computer language, username, and the randomized file extension that it generates for the encrypted files. After composing the profile of the victim machine, it sends this information in JSON format to its associated Command and Control (C2) Server.

Once REvil ransomware has been executed in a network, it first checks the victim's language using the keyboard layout and system language. If both the language and layout match an allowlist of countries defined by the REvil group — such as the language and layout being identified as Russian — the malware will stop its execution and the process will be stopped.

During execution, REvil also executes a Base64 encoded PowerShell script that will delete the shadow copy of the compromised host to prevent easy system recovery. It also executes a PowerShell script that disables features in Windows Defender.

5. Ransomware execution

Connect to the windows06 machine via the RDP shortcut on the Desktop.

Once you have connected to the windows06 machine desktop, you should see the REvil.exe file is present. Execute this file and watch the ransomware propagate as the machine becomes infected and the files are encrypted. Observe the changes to the file extensions after the REvil malware is executed, and read the ransom note that gets dropped onto the desktop.

Ransomware Fileextension

6. Encryption Method

To encrypt victim networks, REvil ransomware uses Curve25519 (asymmetric) and Salsa20 (symmetric) encryption algorithms, which is a relatively unique process. Curve25519 was created to be used with the elliptic curve Diffie-Hellman (ECDH) key scheme, but in the case of REvil ransomware, it is used to generate the Salsa20 key. Salsa20 is the actual key that is used to encrypt user files when REvil ransomware is executed.

Both of these encryption algorithms are very efficient and use shorter keys to help reduce the chances of them being cracked by anyone other than the REvil group themselves. The group has even stated in forums that they believe they have created the best encryption and decryption mechanism that is available from any current ransomware group on the RaaS market.

REvil randomly generates a file extension (between 5-10 alphanumeric characters in length) that is used to append the files that it encrypts and to name the ransom note file. During execution, REvil will read each file that hasn't been added to an allowlist, encrypt the contents of the file, and then write the result back to the original file to prevent file recovery from being performed. After the encryption process, a footer is written to the end of the file and the encrypted file is then renamed to include the appended file extension.

After the malware has been executed, a ransom note is dropped onto the compromised machine as a Base64 encoded text file. The note contains instructions for the victim on how to get their files decrypted, pay the ransom, and view their exfiltrated files on a dedicated leak site that is controlled by the attacker.

7. Security questions

1. Which country does the cybercriminal gang behind REvil operate from?

2. What year did REvil first emerge and carry out cyberattacks on victim organizations?

3. Which remote service is often abused

4. As well as encrypting the files on an organization's network, the REvil group also exfiltrates data to a dedicated site and leaks it if the victim does not pay the ransom. What is this tactic known as?

5. In the ransom note, what type of browser does the malicious actor ask you to download to access their website?

6. What is the URL of the .onion site displayed in the ransom note?

7. Which encryption algorithms does REvil use?

8. Answers

1. Russia

2. 2019

3. RDP

4. double extortion

5. TOR

6. http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1B5ECABE0062F4C7

7. Salsa20, Curve25519