Software: REvil, Sodinokibi, Sodin

REvil is a Ransomware-as-a-Service (RAAS) malware that was first seen in 2019 and has targeted organizations in the manufacturing, transportation, and electric sector.123 While the ransomware does not have a specific tailoring towards ICS platforms or architectures, if deployed on an ICS system it can exfiltrate data for later extortion and then encrypt sensitive files.

Associated Software Descriptions

• Sodinokibi - 1234
• Sodin - 5

Techniques Used

• Loss of Productivity and Revenue - The REvil malware gained access to an organization’s network and encrypted sensitive files used by OT equipment.3

• Masquerading - REvil searches for whether the Ahnlab “autoup.exe” service is running on the target system and injects its payload into this existing process.4

• User Execution - REvil initially executes when the user clicks on a JavaScript file included in the phishing email’s .zip attachment.4

• Scripting - REvil utilizes JavaScript, WScript, and PowerShell scripts to execute. The malicious JavaScript attachment has an obfuscated PowerShell script that executes the malware.4

• Remote Services - REvil uses the SMB protocol to encrypt files located on remotely connected file shares.6

• Standard Application Layer Protocol - REvil sends HTTPS POST messages with randomly generated URLs to communicate with a remote server.47

• Service Stop - REvil searches for all processes listed in the “prc” field within its configuration file and then terminates each process.8

• Theft of Operational Information - REvil sends exfiltrated data from the victim’s system using HTTPS POST messages sent to the C2 system.87