REvil Ransomware Malware Analysis 

1. Overall Summary

The REvil (also known as Sodinokibi) is a Ransomware-as-a-Service (RaaS). The first attack of REvil in middle of April 2019, got huge attention from the Cyber Security world due to sharing many similarities with GandCrab Ransomware and distribution technique of ransomware they are using such as exploit kits, scan and exploit various vulnerable softwares (Oracle WebLogic), RDP servers, and backdoored software installers.

The Ransomware developers claim that REvil have made more than $100 million in one year by infecting users owning large businesses, if Ransom money is not paid by the victim, attackers may share the stolen data from victims Internal Network on their blog post.

REvil Blog website on Dark Web:

revil website

 

2. Technical Analysis

2.1 String Encryption

In order to execute itself and bypass the major security solutions such as Anti Virus or EDR and so, REvil Ransomware hide String data using RC4 encryption algorithm. During our investigation we were able to decrypt the String data that is being hidden by Ransomware developers, which can be seen in the image shared below.

The configuration data that Ransomware reads is a JSON file and it is stored in a special section of the malware binary called .cfg with decryption key (pDisBT7geGwku4wBPM2Buiq3TrmvBums).

ransomware analysis

After the RC4 decryption, it returns a large JSON data to a variable for further processing. Below is an abbreviated version of the configuration for readability.

JSON Config Data:

“wht”: { “fld”: [ “boot”, “tor browser”, “$recycle.bin”, “system volume information”, “google”, “program files (x86)”, “msocache”, “mozilla”, “programdata”, “application data”, “windows.old”, “appdata”, “intel”, “$windows.~ws”, “$windows.~bt”, “program files”, “perflogs”, “windows” ],

“fls”: [ “ntuser.ini”, “bootsect.bak”, “desktop.ini”, “ntuser.dat”, “ntldr”, “boot.ini”, “bootfont.bin”, “iconcache.db”, “thumbs.db”, “autorun.inf”, “ntuser.dat.log” ],

“ext”: [ “diagcab”, “cpl”, “mod”, “bat”, “nls”, “ldf”, “dll”, “ps1”, “adv”, “prf”, “idx”, “rtp”, “ocx”, “icl”, “ani”, “cab”, “rom”, “key”, “wpx”, “icns”, “themepack”, “msc”, “msp”, “cur”, “theme”, “cmd”, “diagpkg”, “lnk”, “ico”, “drv”, “bin”, “nomedia”, “lock”, “mpa”, “hlp”, “scr”, “shs”, “com”, “ics”, “hta”, “msi”, “exe”, “diagcfg”, “msu”, “deskthemepack”, “386”, “msstyles”, “spl”, “sys” ] },

“wfld”: [ “backup” ], “prc”: [ “outlook”, “agntsvc”, “infopath”, “sqbcoreservice”, “steam”, “firefox”, “ocomm”, “ocssd”, “mydesktopqos”, “oracle”, “powerpnt”, “wordpad”, “synctime”, “sql”, “thebat”, “onenote”, “excel”, “visio”, “encsvc”, “winword”, “mydesktopservice”, “dbsnmp”, “isqlplussvc”, “tbirdconfig”, “mspub”, “msaccess”, “thunderbird”, “ocautoupds”, “xfssvccon”, “dbeng50” ],

“svc”: [ “svc$”, “vss”, “sophos”, “mepocs”, “backup”, “sql”, “memtas”, “veeam” ],

Full version of REvil Config Data in JSON format:

https://github.com/whichbuffer/Malware-Analysis/blob/main/MalwareSample/REvil/config_decoded.txt

 

Python script to extract and parse the configuration file from the Ransomware :

https://raw.githubusercontent.com/whichbuffer/Malware-Analysis/main/MalwareSample/REvil/REvil_Config_Parser.py

 

REvil configuration keys and definitions:

Key Definition
dbg Boolean value used by the malware developer during development (only when determining if the victim is from Russia)
dmn Semicolon list of domain names that represent REvil command and control (C2) servers aka sinkhole
exp Boolean value that determines if REvil should attempt to elevate privileges by exploiting a local privilege escalation (LPE) exploit
fast Boolean value that determines how files larger than 65535 bytes are encrypted fast or slow
img Base64 encoded String value of the text placed at the top of the background image created and set by REvil Ransomware
nbody Base64 encoded value of the Ransom note String data dropped in folders where files were encrypted
nname Filename String of the ransomware note dropped in folders where files were encrypted
net Boolean value that determines if REvil should attempt to exfiltrate basic victim and malware information to the configured C2 servers listed in the dmn key which is a sinkhole
pid Integer value that is only referenced if the “net” key is set to True which is send basic victim and malware information to the C2 server
sub Integer value that is only referenced when sending basic victim and malware information to the C2 server if configured to do so via the net key
pk Base64 encoded value representing the attacker’s public key used to encrypt files with RSA 
prc An array of strings representing process names that REvil attempts to terminate prior to encrypting and wiping folders to prevent resource conflicts
wipe Boolean value that determines if REvil attempts to wipe blacklisted folders specified in the wfld key
wfld An array of strings representing blacklisted folder name values if the wipe key is configured to True, then REvil attempts to wipe these folders prior to encrypting process
wht Contains the following subkeys representing whitelisted data that REvil will not encrypt at all:

  • ext — Whitelisted file extensions
  • fld — Whitelisted folder name data
  • fls — Explicit whitelisted filenames

In the full version of JSON Config Data from REvil, Ransom file (README) can be seen in Base64 format, and we were able to decode this string as seen in the image below.  

ransom

 

2.2. Import Table

Dynamic Import Address Table (IAT)

REvil Ransomware manually loads the IAT for anti analysis technique. It does this by looping a list of DWORDs and putting the function pointer into the Import Table. In order to bypass this technique, execute the Ransomware binary in x32dbg and dump the memory after the call to the IAT population function using Scylla. Can be seen on section “4-Unpack REvil”

revil unpack

 

2.3. Command Line Arguments

The newest version of REvil Ransomware has optional command line parameters that control different aspects of the infection process.

Description
nolan Do not encrypt network shares
nolocal Do not encrypt local files
path Specify directory to encrypt
smode Reboots the computer in Windows Safe Mode
silent Do not kill processes and services
fast Only encrypts the first MB of a file (sets et to 1)
full Encrypts entire file (sets et to 0)

2.4. Generate Encryption Keys

REvil stores session encryption keys in the host’s registry. Registry key and value pairs generated within either the HKLM or HKCU. The newest REvil Ransomware sample hide this values inside (HKLM\SOFTWARE\WOW6432Node\BlackLivesMatter\)

Registry key and values created by REvil, encrypted stat JSON data structure with the same algorithm used to encrypt the session private key stored to the registry. 

revil reg

 

Key Value
54k Contains the value of pk from the configuration
Krdfp Contains the private key encrypted by the public key in the configuration
a0w0 Contains the public key generated from elliptic curve function
hq0G6X Contains the public key generated from elliptic curve function
hq0G6X Contains the private key encrypted by the public key in the binary
XFx41h1r Contains an encrypted string containing information that is sent to C2 servers
x4WHjRs Contains the random file extension that gets appended to encrypted files

REvil profiles the compromised host by collecting the following information:

  • Current username
  • Hostname
  • Workgroup/domain name
  • Locale
  • Russian keyboard layout (Boolean)
  • Operating system product name
  • Fixed drive details
  • CPU architecture

REvil Ransomware converts the information into a “stat” JSON data structure and adds additional keys associated with the Ransomware itself then sends it to the C2 server. 

Decrypted JSON stat Data

{

“bit”: 86,
“bro”: false,
“dsk”: “QwADAAAAAPDf/xgAAAAA0LxsFQAAAA==”,
“grp”: “WORKGROUP”,
“lng”: “en-US”,
“net”: “VICTIM-HOSTNAME”,
“os”: “Windows 7”,
“pid”: “10”,
“pk”: “nAjfiPcoIyeIwwCkM1hLhXo5HUQMtrAB+7m8eHzerho=”,
“sk”: “ww8h065kK3Tm7Thg/Y0nT3tSLReYMJUoaVVIkkDq8/L/5k1IcaoVFKkDtKcrdap6Q1mzZd+B6oAD2McVjLnWu6F/w0VVVHvGr/RJWfwH5cnTppruevrgog==”,
“sub”: “3”,
“uid”: “A4DF893FF284306J”,
“unm”: “VICTIM-JOHN”,
“ver”: 257

}

 

2.5. Language Checks

After the execution, the first thing REvil Ransomware will do is identifying the user language of the system and the user’s keyboard layout. In order to accomplish this GetUserDefaultUILanguage and GetSystemDefaultUILanguage Windows APIs are used to get the language code and then that code is run against a list of hardcoded values. If the system language matches like in the image shared below, then the program will exit and the encryption process will stop.

List of languages that are whitelisted from being encrypted

language

 

3. C2 Communication

If the net value in the JSON configuration data is set to true, REvil will reach out to one of the Command and Control (C2) servers from the dmn list. First, it will split the list of domains by the “;” character. For each Command and Control in the list, REvil will build up data in the following JSON format:

 

{

  “ver”:”Version info (0x205, or 2.05 in this case)”,
 “pid”:”pid value from config”,
 “sub”:”sub value from config”,
 “pk”: “pk value from config, base64 decoded”,
  “uid”:”Volume Serial Number and CPU Info”,
  “sk”: “Private Key encrypted by the value of pk”,
 “unm”:”Account Username”,
  “net”:”Computer Name”,
  “grp”:”Computer Domain Name”,
  “lng”:”Language Used (i.e. en-us)”,
  “bro”:”Boolean returned by the language and keyboard check”,
  “os”: “Product Name”,
  “bit”:”Architecture Used (x32 or x64)”,
  “dsk”:”Base64 encoded information about the drives on the computer”,
  “ext”:”Generated extension used for encrypted files”

}

Then take this JSON string and encrypt it using a third public key that is stored in the binary. It will use the same encryption method that was used to encrypt the generated private key that was described earlier in this report. Once the JSON information is encrypted, REvil Ransomware will take the C2 Server and start to build a random URL, like in the following example:

 https://<Server-Name>/(wp-content|static|content|include|uploads|news|data|admin)/(images|pictures|image|temp|tmp|graphic|assets|pics|game)/([a-z]{2}){1,10}.(jpg|png|gif)

REvil Ransomware will then send this JSON data in a POST request with the following headers:

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
Content-Type: application/octet-stream
Connection: close

 

4. Unpack REvil Ransomware

During our analysis we find out REvil Ransomware can hide the Windows APIs (Import tables) for evasion reasons, this technique itself can bypass the major AV or EDR solutions. We are able to bypass this anti-analysis technique by debugging REvil Ransomware sample and setting breakpoints on <kernel32.dll.VerifyVersionInfoW> and <kernel32.dll.CloseHandle>. When debugger hits the breakpoint on <kernel32.dll.CloseHandle> now Import Table is pushed on Stack, so we can observe the Windows APIs used by REvil Ransomware which gives us strong inside about behavior of malware itself.  

revil unpack

If you jump to section 2.2 it can be seen that Import Tables are just tip of the iceberg.

ransomware unpack

 

Full list of Import Table after Unpacking : 

https://raw.githubusercontent.com/whichbuffer/Malware-Analysis/main/MalwareSample/REvil/Import-Table_Unpack.txt

WinHttpSendRequest() ,used to make connections with Command and Control ,this API function was not visible before it was unpacked.

ransom

NetShareEnum() used for spreading the malware on the Internal Network with abuse of SMB. 

unpack

 

Unpacked REvil Ransomware sample : https://github.com/whichbuffer/Malware-Analysis/blob/main/MalwareSample/REvil/d74f04f0b948d9586629e06e2a2a21bdf20d678e47058afb637414eb3701c1f6_dump_SCY.bin

 

5. ATT&CK Methodologies Used by REvil

ATT&CK ID ATT&CK Technique
T1098 Account Manipulation
T1547 Boot or Logon Autostart Execution
T1548 Abuse Elevation Control Mechanism
T1134 Access Token Manipulation
T1112 Modify Registry
T1027 Obfuscated Files or Information
T1083 File and Directory Discovery
T1135 Network Share Discovery
T1486 Data Encrypted for Impact
T1489 Service Stop

 

6. IOCs

SHA-256: d74f04f0b948d9586629e06e2a2a21bdf20d678e47058afb637414eb3701c1f6

Registry Keys:

SOFTWARE\BlackLivesMatter\54k
SOFTWARE\BlackLivesMatter\Krdfp
SOFTWARE\BlackLivesMatter\a0w0
SOFTWARE\BlackLivesMatter\hq0G6X
SOFTWARE\BlackLivesMatter\XFx41h1r
SOFTWARE\BlackLivesMatter\x4WHjRs

HTTP Headers:

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
Content-Type: application/octet-stream
Connection: close

 

URL Regex and Decryption sites:

https:\/\/[^\/]+\/(wp-content|static|content|include|uploads|news|data|admin)\/(images|pictures|image|temp|tmp|graphic|ass
aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd[.]onion
decoder[.]re

 

7. Ransom Note

The ransom note is stored as a Base64 encoded string in REvil’s configuration file under the nbody field. The note in this sample contains:

Wallpaper after changed by REvil

revil note

 

The note containing instructions for ransom payment

ransom note

 

8. Decryption Website

The ransom note instructs the victim to use a unique URL to decrypt their files. The URL leads to an attacker-controlled website that displays the form shown in image, Victims must provide the key and extension name included in the ransom note. The key specified in the ransom note is the Base64-encoded representation of the encrypted stat data stored in the registry.

decrpyt

 

The victim is then informed of the cost in Bitcoin to decrypt their files.

victim

 

revil message