REvil Ransomware: In-Depth Analysis, Detection, and Mitigation

As if ransomware itself wasn’t dangerous enough, a new type of attack involving ransomware is making waves in the cybersecurity community. Ransomware-as-a-Service (RaaS) operations are becoming more common and more profitable for threat actors looking to launch a variety of attacks. One such operation is known as REvil, and involved a core team of threat actors offering the malware to other attackers for a price.

Although the Russian Federal Security Service claims to have dismantled REvil and charged several of the ransomware group’s members, a deeper look at this type of ransomware and RaaS can help organizations protect themselves against these types of attacks in the future.

What Is REvil Ransomware?

REvil ransomware (also known as Sodinokibi) works like most other types of ransomware. It’s a file-blocking virus that typically encrypts data after infection and sends a ransom demand to the target with a time stamp. If the ransom isn’t paid in time, the ransom demand typically doubles. Since the attackers are the only ones with the decryption key, victims of REvil are usually at their mercy.

Additionally, REvil was one of the first types of ransomware to introduce double extortion, using stolen files to coerce its victims into paying the ransom by threatening to publish them online.

Although REvil was one of the most active ransomware variants in 2021, the Russian Federal Security Service purportedly shut it down following its attacks on critical infrastructure resulting in supply shortages and delays. However, organizations would be wise not to dismiss this type of ransomware. Instead, regrouping and restrategizing to prevent these types of attacks may be the best path forward.

What Is Ransomware as a Service?

REvil is one example of Ransomware-as-a-Service (RaaS), a relatively new business model involving ransomware groups selling or renting ransomware to affiliate threat actors. Today, the rise in RaaS is credited with being one of the primary reaons for the recent proliferation of ransomware attacks. In most cases, RaaS makes easier for a broad spectrum of threat actors to deploy ransomware against targets.

In the case of REvil, the ransomware group would reportedly demand a 40% cut of the ransom paid to the affiliates for providing access to the ransomware and any additional support. However, researchers supposedly discovered that the ransomware also contained a backdoor that allowed the core team to chat directly with victims and demand additional ransom payments, bypassing affiliates altogether.

REvil Ransomware History

REvil was first observed in early 2019 and continues to be one of the most formidable and contemporary ransomware threats in 2022. REvil has been instrumental in several high-profile, high-impact attacks including those against Kaseya and JBS.

What Does REvil Ransomware Target?

Revil ransomware commonly targets large enterprises, including government organizations, and educational institutions.  REvil is also known to heavily target healthcare, transportation, and technology industries as well.

REvil avoids targeting within the Commonwealth of Independent States.

How Does REvil Ransomware Work?

REvil typically spreads through the use of phishing emails, which contain a malicious attachment or link. When the victim clicks on the attachment or link, the ransomware is installed on their device. The other common method REvil Spread is utilizing vulnerable software.

Publicly known vulnerabilities used by REvil include:

• CVE-2021-30116 – Kaseya
• CVE-2021-30119 – Kaseya
• CVE-2021-30110 – Kaseya
• CVE-2019-19781 – Citrix
• CVE-2019-11510 – Pulse Secure
• CVE-2019-11539 – Pulse Secure
• CVE-2018-13379 – Fortinet

REvil may also use other malware, such as trojans or backdoors, to gain access to the victim’s device, or to spread within the network. It could also exploit vulnerabilities in the victim’s system, or use other means, such as peer-to-peer networks, or drive-by downloads, to spread further.

REvil Ransomware Technical Details

REvil is associated with multiple actors  and threat families. At its core, REVil is a RaaS (Ransomware-as-a-Service) and is marketed to a very particular and exclusive clientele. Initial access and delivery are typically via publicly disclosed vulnerabilities (exploitation thereof) or via additional frameworks (e.g., Cobalt Strike, Trickbot).

REvil payloads are very aggressive and can very rapidly encrypt an entire drive and those adjacent and available. Recent variants have utilized Salsa20 for encryption due the optimal performance. In addition, recent updates have added the ability for REvil to encrypt systems while in safe mode, as well as improvements to the persistence mechanisms (e.g., Scheduled Tasks, Registry Run Key).

REvil will typically rely on WMI for system information discovery, and manipulation (e.g., terminating processes).

REvil maintains a public (TOR-based) blog where they list victims and any associated leakage or sale of data.

How to Detect REvil Ransomware

The SentinelOne Singularity XDR Platform detects and prevents malicious behaviors and artifacts associated with REvil.

In case you do not have SentinelOne deployed, detecting REvil ransomware requires a combination of technical and operational measures, which are designed to identify and flag suspicious activity on the network. This allows the organization to take appropriate action, and to prevent or mitigate the impact of the ransomware attack.

When trying to detect REvil without SentinelOne deployed, look for:

1. Unexpected files or folders appearing on the victim’s device, with names such as “!.R5C”, “!.R5A”, or “!.R5E”.
2. Files being encrypted with a strong encryption algorithm, such as AES-256.
3. A ransom note appears on the victim’s device, which includes instructions on how to pay the ransom, and the deadline for payment.
4. An increase in network traffic, as REvil communicates with the attacker’s command and control (C&C) server.
5. Suspicious processes running on the victim’s device, such as “svchost.exe” or “csrss.exe”.
6. An increase in error messages, or system crashes, as REvil infects the victim’s device.

Here more ways you can identify ransomware in your network:

Security Tools

Use anti-malware software or other security tools capable of detecting and blocking known ransomware variants. These tools may use signatures, heuristics, or machine learning algorithms, to identify and block suspicious files or activities.

Network Traffic

Monitor network traffic and look for indicators of compromise, such as unusual network traffic patterns or communication with known command-and-control servers.

Security Audits

Conduct regular security audits and assessments to identify network and system vulnerabilities and ensure that all security controls are in place and functioning properly.

Education & Training

Educate and train employees on cybersecurity best practices, including identifying and reporting suspicious emails or other threats.

Backup & Recovery Plan

Implement a robust backup and recovery plan to ensure that the organization has a copy of its data and can restore it in case of an attack.

How to Mitigate REvil Ransomware

The SentinelOne Singularity XDR Platform prevents REvil infections. The SentinelOne Singularity XDR Platform detects and prevents malicious behaviors and artifacts associated with REvil.

In case you do not have SentinelOne deployed, there are several steps your organizations can take:

Disconnect infected devices from the network

To prevent the ransomware from spreading and to isolate the threat, it is important to disconnect infected devices from the network as soon as possible. This can be done by unplugging the device, or by disabling the network adapter, or by disconnecting the device from the network through the network switch or router.

Run a malware scan

To remove REvil ransomware, it is recommended to run a malware scan on the infected device using anti-malware software, such as antimalware or anti-ransomware. This will identify and remove the ransomware, as well as any other malware that may be present on the device.

Restore from backups

To recover the encrypted files, it is recommended to restore from backups, if available. This can be done by restoring the files from a recent backup or by using a backup system, such as a backup server or a cloud backup service.

Consult with experts

If the ransomware cannot be removed, or if the encrypted files cannot be restored, it may be necessary to consult with security experts, such as forensic experts or incident response teams. These experts can help to assess the damage, to restore systems, and to prevent future attacks.