Notorious Revil Ransomware Gang Resurfaces After Hiatus

The servers for the notorious ransomware strain REvil Ransomware have suddenly switched back online following a 2 month absence. The REvil Ransomware gang is one of the most profilic cybercriminal gangs, and operates from Russian. The gang is accused of leading a flurry of attacks in the past few years, with attacks in the last 12 months soaring. One of the most notable attacks this year was against meat supplier JBS, who paid a $11 million ransom to the gang.

On July 2nd, the REvil ransomware gang, aka Sodinokibi, used a zero-day vulnerability in the Kaseya VSA remote management software to encrypt approximately 60 managed service providers (MSPs) and over 1,500 of their business customers. The gang demanded $5 million from MSPs in exchange for the decrypter, and $70 million for a master decrypter for all Kaseya victims.

Later that week, the gang faced increasing pressure from law enforcement as US President Joe Biden held a summit with Russian Prime Minister Vladimir Putin, who agreed to tackle ransomware gangs within Russian borders.

Shortly after the summit, the REvil Ransomware gang dissapeared, and their servers and infrastructure were shut down. At the time, it left victims who wanted to negotiate with no clear path to do so.

Soon, Kaseya recieved the master decrypter from a “trusted third party”, which enable victims to decrypt all affected devices. It is still unknown who supplied this, though it is believed that Russian intelligence received the decryption key from the threat actors and passed it along to the FBI as a gesture of goodwill.

While the cybersecurity community were in good spirits following the apparent downfall of REvil Ransomware, both the Tor payment/negotiation site and REvil’s Tor ‘Happy Blog’ data leak site suddenly came back online this week.

The most recent victim on the blog was added on July 8th, 2021, just five days before REvil’s mysterious disappearance.

The Tor negotiation site is not yet fully operational, though shows a login screen which does not allow victims to log in.

The gang’s decoder is still offline at this time.

It is unclear what’s next for REvil Ransomware, but it seems that celebrations this summer were premature.

REvil Ransomware Analysis

REvil Ransomware is a Ransomware-as-a-Service (RaaS), meaning it can be sold on a subscription basis and is usable by just about anybody. In 2020, it extorted large amounts of money for corporations and individuals. According to researchers, it is the most widespread ransomware strain. Groups using have a knack for shaking down businesses that don’t meet their demands, often through threats or leaking dating.

REvil Ransomware, also known as Sodinokibi, first appeared in April 2019 and rose to prominence after another RaaS gang called GandCrab shut down its service. REvil was first advertised on Russian-language cybercrime forums. The main actor associated with advertising and promoting REvil ransomware is called Unknown aka UNKN.  In the early days of REvil, researchers and security firms identified it as a strain of GandCrab, or at least established multiple links between the two. An alleged member of the group, using the handle Unknown, confirmed in an interview that the ransomware was not a new creation and that it was built on top of an older codebase that the group acquired.

The group behind REvil Ransomware and other groups selling RaaS often do so on a commission basis. Usually, this means a cut of between 20% and 30% of the money earned through infecting victims with ransomware.

In 2020, the IBM Security X-Force Incident Response reported that 1 in 3 Ransomware infections were caused by REvil Ransomware.

In February 2021, the REvil ransomware operation posted a job notice where they were looking to recruit people to perform DDoS attacks and use VOIP calls to contact victims and their partners.

In March, a security researcher known as 3xp0rt discovered that REvil has announced that they were introducing new tactics that affiliates can use to exert even more pressure on victims.

These new tactics include a free service where the threat actors, or affiliated partners, will perform voice-scrambled VOIP calls to the media and victim’s business partners with information about the attack. The ransomware gang is likely assuming that warning businesses that their data may have been exposed in an attack on of their partners, will create further pressure for the victim to pay.

REvil Ransomware is also providing a paid service that allows affiliates to perform Layer 3 and Layer 7 DDoS attacks against a company for maximum pressure. A Layer 3 attack is commonly used to take down the company’s Internet connection. In contrast, threat actors would use a Layer 7 attack to take down a publicly accessible application, such as a web server.

It is highly configurable, and it can be customized to behave differently depending on the host. This makes it a highly attractive RaaS client. Some of its features include:

• Exploits a kernel privilege escalation vulnerability to gain SYSTEM privileges using CVE-2018-8453.
• Whitelists files, folders and extensions from encryption.
• Kills specific processes and services prior to encryption.
• Encrypts files on local and network storage.
• Customizes the name and body of the ransom note, and the contents of the background image.
• Exfiltrates encrypted information on the infected host to remote controllers.
• REvil Ransomware uses Hypertext Transfer Protocol Secure (HTTPS) for communication with its controllers.

REvil ransomware exploits a kernel privilege escalation vulnerability in win32k.sys tracked as CVE-2018-8453 to gain SYSTEM privileges on the infected host. If the configuration instructs a sample to execute this exploit, it will allocate executable memory, decrypt the exploit code in the newly allocated region and invoke it.