This site has been deprecated in favor of https://attack.mitre.org and will remain in place until 11/1/22.

Software/S0019

From attackics
Revision as of 18:49, 12 April 2021 by Oalexander (talk | contribs)
Jump to navigation Jump to search

{{Software |Type=Malware |Description=REvil is a Ransomware-as-a-Service (RAAS) malware that was first seen in 2019 and has targeted organizations in the manufacturing, transportation, and electric sector.123 While the ransomware does not have a specific tailoring towards ICS platforms or architectures, if deployed on an ICS system it can exfiltrate data for later extortion and then encrypt sensitive files. |WindowsBuiltin=No |AliasDescriptions=REvil@@@@####Sodinokibi@@@@1234####Sodin@@@@5#### |TechniqueObjects=

  • Masquerading - REvil searches for whether the Ahnlab “autoup.exe” service is running on the target system and injects its payload into this existing process.4
  • User Execution - REvil initially executes when the user clicks on a JavaScript file included in the phishing email’s .zip attachment.4
  • Scripting - REvil utilizes JavaScript, WScript, and PowerShell scripts to execute. The malicious JavaScript attachment has an obfuscated PowerShell script that executes the malware.4
  • Remote Services - REvil uses the SMB protocol to encrypt files located on remotely connected file shares.6
  • Service Stop - REvil searches for all processes listed in the “prc” field within its configuration file and then terminates each process.8