Aug 04, 2021

Unraveling Revil from Radical

Ransomware is a malicious software (malware) that infects a computer and restricts a user’s access to their data until a ransom is paid. The data is lost permanently if the victim does not pay on time. It has become increasingly sophisticated in terms of its ability to spread and evade detection.

Ransomware attacks are on the rise because its campaign has been increasingly being carried out by Ransomware as a Service (RaaS) gangs.

In this report, we’ll take a look at REvil, one of the most active ransomware gangs, and its RaaS plot, which is drawing in an ever-increasing affiliate as other RaaS gangs are closed down.

REvil

REvil is one of the most well-known Ransomware as a service (RaaS) providers. The gang has adopted the strategy of leaking the stolen data whenever the victim does not pay the ransom amount. REvil charges a percentage of the negotiated ransom amount for these services. They have a reputation for attempting to extort much higher sums of payment from its corporate victims than the other Raas gangs. This gangs use underground cybercrime forums to actively advertised themselves as the greatest choice for targeting business networks, where there is more money to be made, than infecting home systems. Aside from the numerous high-profile firms and organizations that have fallen victim to REvil, it is taking data from its victims’ systems and networks before encrypting it. This is an act of putting greater pressure on victims that is becoming extremely prevalent.

REvil Data Breach Announcement Page on Tor.

REvil is at the top of a pyramid that includes up to 30 additional ransomware groups that are involved in Big Game Hunting campaigns. This implies that they target huge businesses in both the commercial and public sectors in order to obtain multi-million dollars ransom payments.

Below is the screenshot of the Ransom Note of REvil that is dropped once the encryption process is completed.

Execution Flow – REvil Kaseya Attack

A portion of a .dll file found on one of the customer’s critical servers that had been infected by the ransomware was investigated by researchers. The file is mpsvc.dll, which is a digitally signed DLL. The DLL is the payload itself of REvil Ransomware.

This library was discovered to be side-loaded by a genuine Microsoft program (MsMpEng.exe). MsMpEng.exe is a legitimate program that is part of Microsoft’s Antimalware service. The attackers were using an outdated version.

When MsMpEng.exe runs, it loads an exported function from the malicious library named ServiceCrtMain from the attacker’s “mpsvc.dll“. This function unpacks the malware, loads it into memory, then runs it and the encryption process begins. Going back up, a dropper named agent.exe installs MsMpEng.exe and mpsvc.dll in the infected system.

REvil claimed over one million devices had been encrypted in a post on its darknet leaks site, Happy Blog, and demanded a $70 million Bitcoin ransom for a universal decryptor.

Execution Flow – REvil Kaseya Attack

A portion of a .dll file found on one of the customer’s critical servers that had been infected by the ransomware was investigated by researchers. The file is mpsvc.dll, which is a digitally signed DLL. The DLL is the payload itself of REvil Ransomware.

This library was discovered to be side-loaded by a genuine Microsoft program (MsMpEng.exe). MsMpEng.exe is a legitimate program that is part of Microsoft’s Antimalware service. The attackers were using an outdated version.

When MsMpEng.exe runs, it loads an exported function from the malicious library named ServiceCrtMain from the attacker’s “mpsvc.dll“. This function unpacks the malware, loads it into memory, then runs it and the encryption process begins. Going back up, a dropper named agent.exe installs MsMpEng.exe and mpsvc.dll in the infected system.

REvil claimed over one million devices had been encrypted in a post on its darknet leaks site, Happy Blog, and demanded a $70 million Bitcoin ransom for a universal decryptor.