REvil Ransomware Strikes US Nuclear Weapons Contractor

REvil Ransomware has struck again, this time at Sol Oriens, a subcontractor for the Department of Energy (DOE). Sol Oriens works on nuclear weapons with the National Nuclear Security Administration (NNSA). The REvil Ransomware attack occurred last month. The companies website has been unreachable since June 3rd, but Sol Oriens spokespeople confirmed to Fox News and CNBC that they became aware of the REvil Ransomware infection a month ago. The REvil Ransomware operators said of the attack, “We hereby keep a right to forward all of the relevant documentation and data to military agencies of our choice.”

The company said in a statement, “In May 2021, Sol Oriens became aware of a cybersecurity incident that impacted our network environment. The investigation is ongoing, but we recently determined that an unauthorized individual acquired certain documents from our systems. Those documents are currently under review, and we are working with a third-party technological forensic firm to determine the scope of potential data that may have been involved. We have no current indication that this incident involves client classified or critical security-related information. Once the investigation concludes, we are committed to notifying individuals and entities whose information is involved.”

Eamon Javers of CNBC noted, “we don’t know everything this small company does,” but he posted a sample job posting that indicates that it handles nuclear weapons issues: “Senior Nuclear Weapon System Subject Matter. Expert with more than 20 years of experience with nuclear weapons like the W80-4.” The W80 is a type of nuclear warhead carried on air-launched cruise missiles.

According to an archived version of the companys’ LinkedIn profile, Sol Oriens is a “small, veteran-owned consulting firm focused on managing advanced technologies and concepts with strong potential for military and space applications” that works with the “Department of Defense and Department of Energy Organizations, Aerospace Contractors, and Technology Firms (sic) carry out complex programs. We focus on ensuring that there are well-developed technologies available to maintain a strong National Defense.”

Brett Callow, a threat analyst and ransomware expert at the security firm Emsisoft, told Mother Jones that he had spotted Sol Oriens’s internal information posted to the REvil Ransomware’s dark web blog.

According to Callow, the leaked information so far seems relatively benign. Callow described the data as, “a company payroll form from September 2020, outing a handful of employees’ names, social security numbers, and quarterly pay. There’s also a company contracts ledger, and a portion of a memo outlining worker training plans.”

It remains to be seen if the REvil Ransomware gang has got its hands on more sensitive information. Regardless, the attack is concerning for many, given that a company working with nuclear armaments was able to be breached from the outside. As Mother Jones pointed out, the NNSA is responsible for maintaining and securing the nation’s nuclear weapons stockpile and works on nuclear applications for the military, along with other highly sensitive missions.

The REvil Ransomware gang blamed the victim in the attack, stating Sol Oriens “did not take all necessary action to protect personal data of their employees and software development for partner companies.”

REvil Ransomware Analysis

REvil Ransomware is a Ransomware-as-a-Service (RaaS), meaning it can be sold on a subscription basis and is usable by just about anybody. In 2020, it extorted large amounts of money for corporations and individuals. According to researchers, it is the most widespread ransomware strain. Groups using have a knack for shaking down businesses that don’t meet their demands, often through threats or leaking dating.

REvil Ransomware, also known as Sodinokibi, first appeared in April 2019 and rose to prominence after another RaaS gang called GandCrab shut down its service. REvil was first advertised on Russian-language cybercrime forums. The main actor associated with advertising and promoting REvil ransomware is called Unknown aka UNKN.  In the early days of REvil, researchers and security firms identified it as a strain of GandCrab, or at least established multiple links between the two. An alleged member of the group, using the handle Unknown, confirmed in an interview that the ransomware was not a new creation and that it was built on top of an older codebase that the group acquired.

The group behind REvil Ransomware and other groups selling RaaS often do so on a commission basis. Usually, this means a cut of between 20% and 30% of the money earned through infecting victims with ransomware.

In 2020, the IBM Security X-Force Incident Response reported that 1 in 3 Ransomware infections were caused by REvil Ransomware.

In February 2021, the REvil ransomware operation posted a job notice where they were looking to recruit people to perform DDoS attacks and use VOIP calls to contact victims and their partners.

In March, a security researcher known as 3xp0rt discovered that REvil has announced that they were introducing new tactics that affiliates can use to exert even more pressure on victims.

These new tactics include a free service where the threat actors, or affiliated partners, will perform voice-scrambled VOIP calls to the media and victim’s business partners with information about the attack. The ransomware gang is likely assuming that warning businesses that their data may have been exposed in an attack on of their partners, will create further pressure for the victim to pay.

REvil Ransomware is also providing a paid service that allows affiliates to perform Layer 3 and Layer 7 DDoS attacks against a company for maximum pressure. A Layer 3 attack is commonly used to take down the company’s Internet connection. In contrast, threat actors would use a Layer 7 attack to take down a publicly accessible application, such as a web server.

It is highly configurable, and it can be customized to behave differently depending on the host. This makes it a highly attractive RaaS client. Some of its features include:

• Exploits a kernel privilege escalation vulnerability to gain SYSTEM privileges using CVE-2018-8453.
• Whitelists files, folders and extensions from encryption.
• Kills specific processes and services prior to encryption.
• Encrypts files on local and network storage.
• Customizes the name and body of the ransom note, and the contents of the background image.
• Exfiltrates encrypted information on the infected host to remote controllers.
• REvil Ransomware uses Hypertext Transfer Protocol Secure (HTTPS) for communication with its controllers.

REvil ransomware exploits a kernel privilege escalation vulnerability in win32k.sys tracked as CVE-2018-8453 to gain SYSTEM privileges on the infected host. If the configuration instructs a sample to execute this exploit, it will allocate executable memory, decrypt the exploit code in the newly allocated region and invoke it.