The REvil (also known as Sodinokibi) is a Ransomware-as-a-Service (RaaS). The first attack of REvil in the middle of April 2019, got huge attention from the Cyber Security world due to sharing many similarities with GandCrab Ransomware and the distribution techniques of ransomware they are using such as exploit kits, scan and exploit various vulnerable software (Oracle WebLogic), RDP servers, and backdoored software installers.
The Ransomware developers claim that REvil has made more than $100 million in one year by infecting users owning large businesses, if Ransom money is not paid by the victim, attackers may share the stolen data from victims Internal Network on their blog posts.
REvil Blog website on Dark Web:
In order to execute itself and bypass the major security solutions such as Anti Virus or EDR and so, REvil Ransomware hides String data using RC4 encryption algorithm. During our investigation, we were able to decrypt the String data that is being hidden by Ransomware developers, which can be seen in the image shared below.
The configuration data that Ransomware reads is a JSON file and it is stored in a special section of the malware binary called .cfg with the decryption key (pDisBT7geGwku4wBPM2Buiq3TrmvBums).
After the RC4 decryption, it returns a large JSON data to a variable for further processing. Below is an abbreviated version of the configuration for readability.
JSON Config Data:
“wht”: { “fld”: [ “boot”, “tor browser”, “$recycle.bin”, “system volume information”, “google”, “program files (x86)”, “msocache”, “mozilla”, “programdata”, “application data”, “windows.old”, “appdata”, “intel”, “$windows.~ws”, “$windows.~bt”, “program files”, “perflogs”, “windows” ],
“fls”: [ “ntuser.ini”, “bootsect.bak”, “desktop.ini”, “ntuser.dat”, “ntldr”, “boot.ini”, “bootfont.bin”, “iconcache.db”, “thumbs.db”, “autorun.inf”, “ntuser.dat.log” ],
“ext”: [ “diagcab”, “cpl”, “mod”, “bat”, “nls”, “ldf”, “dll”, “ps1”, “adv”, “prf”, “idx”, “rtp”, “ocx”, “icl”, “ani”, “cab”, “rom”, “key”, “wpx”, “icns”, “themepack”, “msc”, “msp”, “cur”, “theme”, “cmd”, “diagpkg”, “lnk”, “ico”, “drv”, “bin”, “nomedia”, “lock”, “mpa”, “hlp”, “scr”, “shs”, “com”, “ics”, “hta”, “msi”, “exe”, “diagcfg”, “msu”, “deskthemepack”, “386”, “msstyles”, “spl”, “sys” ] },
“wfld”: [ “backup” ], “prc”: [ “outlook”, “agntsvc”, “infopath”, “sqbcoreservice”, “steam”, “firefox”, “ocomm”, “ocssd”, “mydesktopqos”, “oracle”, “powerpnt”, “wordpad”, “synctime”, “sql”, “thebat”, “onenote”, “excel”, “visio”, “encsvc”, “winword”, “mydesktopservice”, “dbsnmp”, “isqlplussvc”, “tbirdconfig”, “mspub”, “msaccess”, “thunderbird”, “ocautoupds”, “xfssvccon”, “dbeng50” ],
“svc”: [ “svc$”, “vss”, “sophos”, “mepocs”, “backup”, “sql”, “memtas”, “veeam” ],
Full version of REvil Config Data in JSON format:
Python script to extract and parse the configuration file from the Ransomware :
REvil configuration keys and definitions:
| Key | Definition |
| dbg | Boolean value used by the malware developer during development (only when determining if the victim is from Russia) |
| dmn | Semicolon list of domain names that represent REvil command and control (C2) servers aka sinkhole |
| exp | Boolean value that determines if REvil should attempt to elevate privileges by exploiting a local privilege escalation (LPE) exploit |
| fast | Boolean value that determines how files larger than 65535 bytes are encrypted fast or slow |
| img | Base64 encoded String value of the text placed at the top of the background image created and set by REvil Ransomware |
| nbody | Base64 encoded value of the Ransom note String data dropped in folders where files were encrypted |
| nname | Filename String of the ransomware note dropped in folders where files were encrypted |
| net | Boolean value that determines if REvil should attempt to exfiltrate basic victim and malware information to the configured C2 servers listed in the dmn key which is a sinkhole |
| pid | Integer value that is only referenced if the “net” key is set to True which is send basic victim and malware information to the C2 server |
| sub | Integer value that is only referenced when sending basic victim and malware information to the C2 server if configured to do so via the net key |
| pk | Base64 encoded value representing the attacker’s public key used to encrypt files with RSA |
| prc | An array of strings representing process names that REvil attempts to terminate prior to encrypting and wiping folders to prevent resource conflicts |
| wipe | Boolean value that determines if REvil attempts to wipe blacklisted folders specified in the wfld key |
| wfld | An array of strings representing blacklisted folder name values if the wipe key is configured to True, then REvil attempts to wipe these folders prior to encrypting process |
| wht | Contains the following subkeys representing whitelisted data that REvil will not encrypt at all: ext — Whitelisted file extensions fld — Whitelisted folder name data fls — Explicit whitelisted filenames |
In the full version of JSON Config Data from REvil, the Ransom file (README) can be seen in Base64 format, and we were able to decode this string as seen in the image below.
REvil Ransomware manually loads the IAT for anti-analysis technique. It does this by looping a list of DWORDs and putting the function pointer into the Import Table. In order to bypass this technique, execute the Ransomware binary in x32dbg and dump the memory after the call to the IAT population function using Scylla. Can be seen on section “4-Unpack REvil”
The newest version of REvil Ransomware has optional command line parameters that control different aspects of the infection process.
| Description | |
| nolan | Do not encrypt network shares |
| nolocal | Do not encrypt local files |
| path | Specify directory to encrypt |
| smode | Reboots the computer in Windows Safe Mode |
| silent | Do not kill processes and services |
| fast | Only encrypts the first MB of a file (sets et to 1) |
| full | Encrypts entire file (sets et to 0) |
REvil stores session encryption keys in the host’s registry. Registry key and value pairs are generated within either the HKLM or HKCU. The newest REvil Ransomware sample hides these values inside (HKLM\SOFTWARE\WOW6432Node\BlackLivesMatter\)
Registry key and values created by REvil, encrypted stat JSON data structure with the same algorithm used to encrypt the session private key stored to the registry.
| Key | Value |
| 54k | Contains the value of pk from the configuration |
| Krdfp | Contains the private key encrypted by the public key in the configuration |
| a0w0 | Contains the public key generated from elliptic curve function |
| hq0G6X | Contains the public key generated from elliptic curve function |
| hq0G6X | Contains the private key encrypted by the public key in the binary |
| XFx41h1r | Contains an encrypted string containing information that is sent to C2 servers |
| x4WHjRs | Contains the random file extension that gets appended to encrypted files |
REvil profiles the compromised host by collecting the following information:
REvil Ransomware converts the information into a “stat” JSON data structure and adds additional keys associated with the Ransomware itself then sends it to the C2 server.
Decrypted JSON stat Data
{
“bit”: 86,
“bro”: false,
“dsk”: “QwADAAAAAPDf/xgAAAAA0LxsFQAAAA==”,
“grp”: “WORKGROUP”,
“lng”: “en-US”,
“net”: “VICTIM-HOSTNAME”,
“os”: “Windows 7”,
“pid”: “10”,
“pk”: “nAjfiPcoIyeIwwCkM1hLhXo5HUQMtrAB+7m8eHzerho=”,
“sk”: “ww8h065kK3Tm7Thg/Y0nT3tSLReYMJUoaVVIkkDq8/L/5k1IcaoVFKkDtKcrdap6Q1mzZd+B6oAD2McVjLnWu6F/w0VVVHvGr/RJWfwH5cnTppruevrgog==”,
“sub”: “3”,
“uid”: “A4DF893FF284306J”,
“unm”: “VICTIM-JOHN”,
“ver”: 257
}
After the execution, the first thing REvil Ransomware will do is identifying the user language of the system and the user’s keyboard layout. In order to accomplish this GetUserDefaultUILanguage and GetSystemDefaultUILanguage Windows APIs are used to get the language code and then that code is run against a list of hardcoded values. If the system language matches like in the image shared below, then the program will exit and the encryption process will stop.
List of languages that are whitelisted from being encrypted
If the net value in the JSON configuration data is set to true, REvil will reach out to one of the Command and Control (C2) servers from the dmn list. First, it will split the list of domains by the “;” character. For each Command and Control in the list, REvil will build up data in the following JSON format:
{
“ver”:”Version info (0x205, or 2.05 in this case)”,
“pid”:”pid value from config”,
“sub”:”sub value from config”,
“pk”: “pk value from config, base64 decoded”,
“uid”:”Volume Serial Number and CPU Info”,
“sk”: “Private Key encrypted by the value of pk”,
“unm”:”Account Username”,
“net”:”Computer Name”,
“grp”:”Computer Domain Name”,
“lng”:”Language Used (i.e. en-us)”,
“bro”:”Boolean returned by the language and keyboard check”,
“os”: “Product Name”,
“bit”:”Architecture Used (x32 or x64)”,
“dsk”:”Base64 encoded information about the drives on the computer”,
“ext”:”Generated extension used for encrypted files”
}
Then take this JSON string and encrypt it using a third public key that is stored in the binary. It will use the same encryption method that was used to encrypt the generated private key that was described earlier in this report. Once the JSON information is encrypted, REvil Ransomware will take the C2 Server and start to build a random URL, like in the following example:
REvil Ransomware will then send this JSON data in a POST request with the following headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
Content-Type: application/octet-stream
Connection: close
During our analysis we find out REvil Ransomware can hide the Windows APIs (Import tables) for evasion reasons, this technique itself can bypass the major AV or EDR solutions. We are able to bypass this anti-analysis technique by debugging the REvil Ransomware sample and setting breakpoints on <kernel32.dll.VerifyVersionInfoW> and <kernel32.dll.CloseHandle>. When the debugger hits the breakpoint on <kernel32.dll.CloseHandle> Now Import Table is pushed on Stack, so we can observe the Windows APIs used by REvil Ransomware which gives us strong inside about the behavior of malware itself.
If you jump to section 2.2 it can be seen that Import Tables are just tip of the iceberg.
Full list of Import Table after Unpacking :
WinHttpSendRequest() , used to make connections with Command and Control,this API function was not visible before it was unpacked.
NetShareEnum() is used for spreading the malware on the Internal Network with abuse of SMB.
Unpacked REvil Ransomware sample : https://github.com/whichbuffer/Malware-Analysis/blob/main/MalwareSample/REvil/d74f04f0b948d9586629e06e2a2a21bdf20d678e47058afb637414eb3701c1f6_dump_SCY.bin
| ATT&CK ID | ATT&CK Technique |
| T1098 | Account Manipulation |
| T1547 | Boot or Logon Autostart Execution |
| T1548 | Abuse Elevation Control Mechanism |
| T1134 | Access Token Manipulation |
| T1112 | Modify Registry |
| T1027 | Obfuscated Files or Information |
| T1083 | File and Directory Discovery |
| T1135 | Network Share Discovery |
| T1486 | Data Encrypted for Impact |
| T1489 | Service Stop |
SHA-256: d74f04f0b948d9586629e06e2a2a21bdf20d678e47058afb637414eb3701c1f6
Registry Keys:
SOFTWARE\BlackLivesMatter\54k
SOFTWARE\BlackLivesMatter\Krdfp
SOFTWARE\BlackLivesMatter\a0w0
SOFTWARE\BlackLivesMatter\hq0G6X
SOFTWARE\BlackLivesMatter\XFx41h1r
SOFTWARE\BlackLivesMatter\x4WHjRs
HTTP Headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
Content-Type: application/octet-stream
Connection: close
URL Regex and Decryption sites:
https:\/\/[^\/]+\/(wp-content|static|content|include|uploads|news|data|admin)\/(images|pictures|image|temp|tmp|graphic|ass
aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd[.]onion
decoder[.]re
The ransom note is stored as a Base64 encoded string in REvil’s configuration file under the body field. The note in this sample contains:
Wallpaper after being changed by REvil
The note containing instructions for the ransom payment
The ransom note instructs the victim to use a unique URL to decrypt their files. The URL leads to an attacker-controlled website that displays the form shown in the image, Victims must provide the key and extension name included in the ransom note. The key specified in the ransom note is the Base64-encoded representation of the encrypted state data stored in the registry.
The victim is then informed of the cost in Bitcoin to decrypt their files.
