Software: REvil, Sodinokibi, Sodin

From attackics
Jump to navigation Jump to search
REvil, Sodinokibi, Sodin
Software
ID S0019
Aliases REvil, Sodinokibi, Sodin
Type Malware

REvil is a Ransomware-as-a-Service (RAAS) malware that was first seen in 2019 and has targeted organizations in the manufacturing, transportation, and electric sector.123 While the ransomware does not have a specific tailoring towards ICS platforms or architectures, if deployed on an ICS system it can exfiltrate data for later extortion and then encrypt sensitive files.

Associated Software Descriptions

  • Sodinokibi - 1234
  • Sodin - 5

Techniques Used

  • Masquerading - REvil searches for whether the Ahnlab “autoup.exe” service is running on the target system and injects its payload into this existing process.4
  • User Execution - REvil initially executes when the user clicks on a JavaScript file included in the phishing email’s .zip attachment.4
  • Scripting - REvil utilizes JavaScript, WScript, and PowerShell scripts to execute. The malicious JavaScript attachment has an obfuscated PowerShell script that executes the malware.4
  • Remote Services - REvil uses the SMB protocol to encrypt files located on remotely connected file shares.6
  • Service Stop - REvil searches for all processes listed in the “prc” field within its configuration file and then terminates each process.8