ALPS blog

Ransomware Spotlight: REvil

Now that the reign of REvil has come to an end, it’s time to regroup and strategize. What can organizations learn from REvil’s tactics? We review the rise, downfall, and future of its operations using insights into the group’s arsenal and inner workings.

Ransomware Spotlight: REvil Infographic

View infographic of “Ransomware Spotlight: REvil”

REvil, also known as Sodinokibi, had risen to notoriety for its high-profile attacks since its discovery in 2019. After being among the most active ransomware variants in 2021, it was officially shut down after garnering the attention of law enforcement agencies due to its attacks on critical industries that resulted in supply shortages and delays. The crackdown led to the arrest of two of its associates and its TOR network being taken offline. However, organizations should not let their guard down. We foresee the group reemerging under a new moniker with the REvil name now tarnished and unlikely to entice affiliates.

Meanwhile, it is an opportune time for enterprises to regroup and strategize, starting by learning more about this infamous ransomware’s operation.

History of REvil

REvil is one example of ransomware as a service (RaaS) that originated from a Russian-speaking underground group. When it was first discovered, connections to the then recently retired GandCrab became apparent. One such connection was the use of an Oracle WebLogic vulnerability, as well as similarities in the URLs and command-and-control (C&C) servers used.

In 2020, REvil introduced double extortion in its schemes, using stolen files to coerce its victims into paying. Its operators conducted bold attacks on well-known public figures and organizations. Notably, REvil has a history of making good on its threat to publish stolen data via its own dedicated leak site. Additionally, it also posted data on underground forums and blog sites.

2021 saw REvil continue to use its techniques in full effect through debilitating attacks that hit major service providers and suppliers. In May, it attacked major meat supplier JBS and IT software provider Kaseya in July. REvil operators also stole blueprints from tech giant Apple via an attack on its supplier, Quanta Computer, in April.

REvil was also linked to DarkSide, the group that shut down the oil distributor Colonial Pipeline. In a later section, we give a more detailed look into the tools used in some of these attacks and hopefully capture the extent of REvil’s arsenal. Our monitoring of Water Mare (the name we have given the intrusion set behind REvil) also yields additional insights.

Water Mare: REvil behind the scenes

The connection between Water Mare and REvil dates back to April 2019, its first confirmed deployment. In June 2019, it was advertised by an actor with the username UNKN or Unknown (the same as REvil’s) on the XSS forum. It operated as an affiliate service: Affiliates spread the ransomware to victims while REvil operators maintained the malware and payment infrastructure.

In 2020, Water Mare acquired new capabilities and accesses that would be used in future attacks thanks to its affiliates. These capabilities include the PE injection capability using a PowerShell and the credential stealer KPOT stealer, which UNKN won in an auction for its source code. Affiliates also offered access to company networks and a VPN server. Around this time UNKN also made efforts to limit affiliates to Russian-speaking members to prevent intrusion.

2021 was a series of highs and lows for Water Mare, culminating in the arrest of several affiliates and the close documentation of REvil’s downfall. The early part of the year promised new developments such as the aforementioned plans for  distributed denial-of-service (DDoS) attacks, which would have ushered in triple extortion tactics. However, REvil’s biggest attacks — those that hit JBS and Kaseya — pushed law enforcement agencies to close in on the group’s heels.

FBI later attributed the Kaseya and JBS attacks to the Water Mare intrusion set. They reportedly gained access to the Water Mare intrusion set’s servers and retrieved the master key for REvil, which was provided to Kaseya. Around the same time, distrust for the threat group began to take root, with an affiliate claiming to have been bypassed in the negotiation process using a backdoor, foreshadowing REvil’s unraveling.

Despite announcing its return in September, by October 2021 Water Mare’s data leak program became inaccessible and the affiliate program terminated. Suspected Water Mare affiliates were also being arrested or tracked down, thanks to the efforts of global law enforcement agencies.

The future of REvil operators

Ultimately, REvil’s activities placed it at the top of the list of ransomware operators that governments were eager to crack down on. In a global effort, law enforcement went after REvil operators both offline and online, leading to the shutdown of its operations and actual arrests.

Based on our findings from Water Mare, it is unlikely that the intrusion set will resurface under the name REvil because of the amount of negative publicity this moniker had received given the following points:

  • Affiliates doubted REvil’s operations. The nature of REvil’s shutdown pointed to law enforcement and reports of a backdoor that cheated them from ransom negotiations. Ultimately, this cast considerable doubt on the group’s credibility among threat actors.
  • REvil lacked leadership with the disappearance of UNKN. 0_neday, UNKN’s successor, was unable to inspire renewed confidence in REvil operations. In contrast to UNKN’s efforts to prevent infiltration, 0_neday made serious errors, such as failing to generate new private keys to the restored data leak site.
  • REvil operated with reduced membership, which led to its shutdown. Efforts to attract affiliates again (such as modifying affiliate profit cut to 90%) backfired, as these efforts were likely interpreted by other threat actors as a final desperate measure.

We surmise that the group can persist by rebranding, which is a common tactic among ransomware operators and which has been done by the group before. Case in point, DarkSide has renamed itself as BlackMatter. Meanwhile, REVil’s affiliates are likely to move to other ransomware operators, if they have not done so already. As for its operators, it is probable that they will continue to work or move to other ransomware operations, bringing their techniques with them. Therefore, for organizations wondering what’s next, there is still great value in understanding REvil tactics, techniques, and procedures (TTPs).

An overview of REvil operations

One aspect that made REvil’s operation infamous was its heavy extortion tactics. As mentioned earlier, operators behind the ransomware group considered DDoS and got in touch directly with customers, business partners, and the media to pressure victims into paying the ransom. They also auctioned stolen data to place more duress on their victims.

REvil is also known for being an example of highly targeted ransomware, as it utilized tools based on its operators’ high-level knowledge of their targeted entities. This resulted in a varied arsenal and customized infection chains, as we elaborate on later.

To this end, REvil used tools like FileZilla to exfiltrate data and PsExec to propagate and remotely execute the ransomware and other files. It also used other tools and malware such as PC Hunter, AdFind, BloodHound, NBTScan, SharpSploit, third-party file sync tools, and Qakbot, a trojan used to deliver ransomware.

Top affected industries and counties

As our detections show, REvil attacks were concentrated largely in the US, followed by Mexico and Germany by a wide margin. This is consistent with evidence found in the code of REvil that purposely excludes countries in the Commonwealth of Independent States (CIS) as its targets.

Figure 1. Countries with the highest number of attack attempts for the REvil ransomware (January 1 to December 6, 2021)
Source: Trend Micro™ Smart Protection Network™ infrastructure

We saw the most REvil-related detections in the transportation industry, followed by the financial sector. In our report summarizing ransomware activity in the first half of 2021, transportation was already among the top three most targeted sectors, likely for its role in the supply chain and logistics. In general, the top targeted sectors are all critical industries, further emphasizing how REvil had been operating especially in 2021.

Figure 2. Industries with the highest number of attack attempts for the REvil ransomware (January 1 to December 6, 2021)
Source: Trend Micro Smart Protection Network infrastructure

Infection chains and techniques

Due to its targeted nature, REvil used a variety of tools and malware depending what the situation dictated. Its operators appeared to operate on a high-level of knowledge on their victim’s environment, as evidenced by the level of customization in its attacks.

Figure 3. The general infection chain of REvil

Specific attack flows

Figure 4. A more targeted attack flow (top) and a simple attack flow (bottom)

Figure 5. Infection chain followed in the attack on Quanta Computer

Figure 6. Infection chain followed in the attack on Kaseya

Figure 7. An infection chain based on a more recent campaign


Featured News