This site has been deprecated in favor of https://attack.mitre.org and will remain in place until 11/1/22.
Software: REvil, Sodinokibi, Sodin
Jump to navigation
Jump to search
REvil, Sodinokibi, Sodin | |
---|---|
Software | |
ID | S0019 |
Aliases | REvil, Sodinokibi, Sodin |
Type | Malware |
REvil is a Ransomware-as-a-Service (RAAS) malware that was first seen in 2019 and has targeted organizations in the manufacturing, transportation, and electric sector.123 While the ransomware does not have a specific tailoring towards ICS platforms or architectures, if deployed on an ICS system it can exfiltrate data for later extortion and then encrypt sensitive files.
Associated Software Descriptions
Techniques Used
- Loss of Productivity and Revenue - The REvil malware gained access to an organization’s network and encrypted sensitive files used by OT equipment.3
- Masquerading - REvil searches for whether the Ahnlab “autoup.exe” service is running on the target system and injects its payload into this existing process.4
- User Execution - REvil initially executes when the user clicks on a JavaScript file included in the phishing email’s .zip attachment.4
- Scripting - REvil utilizes JavaScript, WScript, and PowerShell scripts to execute. The malicious JavaScript attachment has an obfuscated PowerShell script that executes the malware.4
- Remote Services - REvil uses the SMB protocol to encrypt files located on remotely connected file shares.6
- Standard Application Layer Protocol - REvil sends HTTPS POST messages with randomly generated URLs to communicate with a remote server.47
- Service Stop - REvil searches for all processes listed in the “prc” field within its configuration file and then terminates each process.8
- Theft of Operational Information - REvil sends exfiltrated data from the victim’s system using HTTPS POST messages sent to the C2 system.87
References
- a b Kaspersky ICS CERT. (2020, September 24). Threat landscape for industrial automation systems. H1 2020. Retrieved April 12, 2021.
- a b Ionut Ilascu. (2019, July 16). Ryuk, Sodinokibi Ransomware Responsible for Higher Average Ransoms. Retrieved April 12, 2021.
- a b c Selena Larson, Camille Singleton. (2020, December). RANSOMWARE IN ICS ENVIRONMENTS. Retrieved April 12, 2021.
- a b c d e Tom Fakterman. (2019, August 05). Sodinokibi: The Crown Prince of Ransomware. Retrieved April 12, 2021.
- ^ Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service: An analysis of a ransomware affiliate operation. Retrieved April 12, 2021.
- ^ Max Heinemeyer. (2020, February 21). Post-mortem of a targeted Sodinokibi ransomware attack. Retrieved April 12, 2021.
- a b SecureWorks. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved April 12, 2021.
- a b McAfee Labs. (2019, October 02). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved April 12, 2021.