REvil, also known as Sodinokibi ransomware was first spotted in April 2019, it attacks Windows PCs to encrypt all the files on local drives (besides those enlisted in their configuration file) and leaves a ransom note on affected systems with instructions to get the files decrypted in turn of the demanded ransom. It shares a similar code as GandCrab ransomware and is said to be distributed by the authors of the aforementioned ransomware which saw a steep decline in its activity with the arrival of REvil. The claim regarding similarity was based on observations made by experts that point towards an identical set of techniques used in attacks, similar countries targeted, and the language.
The ransomware strain exploits an Oracle WebLogic vulnerability to elevate privileges and in order to generate and propagate encryption keys; REvil makes use of an Elliptic-curve Diffie Hellman key exchange algorithm. Let’s take a look at its latest activities.
As per sources, the ransomware tries not to attack systems belonging to Iran, Russia other countries that were once a part of the Soviet Union. However, it has affected a number of organizations across various other regions. In the year 2020, REvil attackers have limited their infection to North American and Western European organizations, targeting National Eating Disorders Association, Agromart Group, etc, and Atlas Cars, Plaza Collection, etc respectively.
The ransomware operators have developed a special interest in the manufacturing sector; food and beverage distributing businesses have seen an unprecedented number of ransomware attacks lately. The top targets from the industry include Harvest Food Distributers, Brown Forman Daniel’s, Sherwood Food Distributers, and Lion. Other industries that were heavily targeted by REvil range from media, retail, entertainment, health, IT, transport, real estate, government, energy, and non-profit.
How does it operate?
REvil begins with exploiting the CVE-2018-8453 vulnerability and proceeds to eliminate resource conflicts by terminating blacklist processes before the process of encryption. It wipes the contents of blacklisted folders and then encrypts files on local storage devices and network shares, finally exfiltrating basic host information.
Initially, REvil was noticed to be attacking businesses by exploiting vulnerabilities, But, since the past year, the operators have started employing common infection vectors namely phishing and exploit kits.