REvil

REvil is a ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ransomware-as-a-service (RaaS) since at least April 2019. REvil is highly configurable and shares code similarities with the GandCrab RaaS.[1][2][3]

ID: S0496
Associated Software: Sodin, Sodinokibi
Type: MALWARE
Platforms: Windows
Contributors: Edward Millington
Version: 1.0
Created: 04 August 2020
Last Modified: 05 October 2020

Associated Software Descriptions

Name Description
Sodin

[2][4]

Sodinokibi

[1][2][5][4][6][7][8][9][10][11][1]

Techniques Used

Domain ID Name Use
Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

REvil can obtain the token from the user that launched the explorer.exe process to avoid affecting the desktop of the SYSTEM user.[9]

.002 Access Token Manipulation: Create Process with Token

REvil can launch an instance of itself with administrative rights using runas.[1]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

REvil has used HTTP and HTTPS in communication with C2.[6][7][9][2][1]

Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

REvil has used obfuscated VBA macros for execution.[5][11]

.003 Command and Scripting Interpreter: Windows Command Shell

REvil can use the Windows command line to delete volume shadow copies and disable recovery.[6][8][11][1]

.001 Command and Scripting Interpreter: PowerShell

REvil has used PowerShell to delete volume shadow copies and download files.[7][8][2][3]

Enterprise T1485 Data Destruction

REvil has the capability to destroy files and folders.[4][7][9][9][2][11][1]

Enterprise T1486 Data Encrypted for Impact

REvil can encrypt files on victim systems and demands a ransom to decrypt the files.[4][6][8][10][2][11][1]

Enterprise T1140 Deobfuscate/Decode Files or Information

REvil can decode encrypted strings to enable execution of commands and payloads.[5][4][6][9][2][1]

Enterprise T1189 Drive-by Compromise

REvil has infected victim machines through compromised websites and exploit kits.[1][9][11][7]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

REvil has encrypted C2 communications with the ECIES algorithm.[4]

Enterprise T1041 Exfiltration Over C2 Channel

REvil can exfiltrate host and malware information to C2 servers.[1]

Enterprise T1083 File and Directory Discovery

REvil has the ability to identify specific files and directories that are not to be encrypted.[4][6][7][9][2][1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

REvil can connect to and disable the Symantec server on the victim's network.[6]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

REvil can mark its binary code for deletion after reboot.[2]

Enterprise T1105 Ingress Tool Transfer

REvil can download a copy of itself from an attacker controlled IP address to the victim machine.[8][9][11]

Enterprise T1490 Inhibit System Recovery

REvil can use vssadmin to delete volume shadow copies and bcdedit to disable recovery features.[4][6][7][8][9][2][11][1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

REvil can mimic the names of known executables.[11]

Enterprise T1112 Modify Registry

REvil can save encryption parameters and system information to the Registry.[6][7][9][2][1]

Enterprise T1106 Native API

REvil can use Native API for execution and to retrieve active services.[1][2]

Enterprise T1027 Obfuscated Files or Information

REvil has used encrypted strings and configuration files.[5][7][9][2][3][11][1]

Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

REvil can identify the domain membership of a compromised host.[4][9][1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

REvil has been distributed via malicious e-mail attachments including MS Word Documents.[5][6][1][9][11]

Enterprise T1055 Process Injection

REvil can inject itself into running processes on a compromised host.[10]

Enterprise T1012 Query Registry

REvil can query the Registry to get random file extensions to append to encrypted files.[1]

Enterprise T1489 Service Stop

REvil has the capability to stop services and kill processes.[2][1]

Enterprise T1082 System Information Discovery

REvil can identify the username, machine name, system language, keyboard layout, OS version, and system drive information on a compromised host.[4][6][7][9][9][2][3][1]

Enterprise T1007 System Service Discovery

REvil can enumerate active services.[2]

Enterprise T1204 .002 User Execution: Malicious File

REvil has been executed via malicious MS Word e-mail attachments.[5][10][11]

Enterprise T1047 Windows Management Instrumentation

REvil can use WMI to monitor for and kill specific processes listed in its configuration file.[7][3]

Groups That Use This Software

ID Name References
G0115 GOLD SOUTHFIELD

[1][7]

References