This site has been deprecated in favor of https://attack.mitre.org and will remain in place until 11/1/22.
Software: REvil, Sodinokibi, Sodin
|REvil, Sodinokibi, Sodin|
|Aliases||REvil, Sodinokibi, Sodin|
REvil is a Ransomware-as-a-Service (RAAS) malware that was first seen in 2019 and has targeted organizations in the manufacturing, transportation, and electric sector.123 While the ransomware does not have a specific tailoring towards ICS platforms or architectures, if deployed on an ICS system it can exfiltrate data for later extortion and then encrypt sensitive files.
Associated Software Descriptions
- Loss of Productivity and Revenue - The REvil malware gained access to an organization’s network and encrypted sensitive files used by OT equipment.3
- Masquerading - REvil searches for whether the Ahnlab “autoup.exe” service is running on the target system and injects its payload into this existing process.4
- Remote Services - REvil uses the SMB protocol to encrypt files located on remotely connected file shares.6
- Standard Application Layer Protocol - REvil sends HTTPS POST messages with randomly generated URLs to communicate with a remote server.47
- Service Stop - REvil searches for all processes listed in the “prc” field within its configuration file and then terminates each process.8
- Theft of Operational Information - REvil sends exfiltrated data from the victim’s system using HTTPS POST messages sent to the C2 system.87
- Kaspersky ICS CERT. (2020, September 24). Threat landscape for industrial automation systems. H1 2020. Retrieved April 12, 2021.
- Ionut Ilascu. (2019, July 16). Ryuk, Sodinokibi Ransomware Responsible for Higher Average Ransoms. Retrieved April 12, 2021.
- Selena Larson, Camille Singleton. (2020, December). RANSOMWARE IN ICS ENVIRONMENTS. Retrieved April 12, 2021.
- Tom Fakterman. (2019, August 05). Sodinokibi: The Crown Prince of Ransomware. Retrieved April 12, 2021.
- Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service: An analysis of a ransomware affiliate operation. Retrieved April 12, 2021.
- Max Heinemeyer. (2020, February 21). Post-mortem of a targeted Sodinokibi ransomware attack. Retrieved April 12, 2021.
- SecureWorks. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved April 12, 2021.
- McAfee Labs. (2019, October 02). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved April 12, 2021.