Arrival
Sodinokibi or REvil is typically deployed by human operators on enterprise networks during a breach. To gain access to the network, attackers deliver the payload as an email attachment or try to exploit vulnerabilities in web browsers, VPN appliances, and other services exposed to the internet. Once in the network, attackers steal credentials, move laterally to other devices, and obtain privileged credentials before installing this ransomware on multiple target devices.
Initial execution
When launched, this ransomware accesses the JSON file and decrypts the configuration data it requires for encryption:
-
pk – Public key
-
pid – Affiliate identifier
-
sub – Campaign identifier
-
dbg – Run in debug mode
-
et – Determines the “encryption type”:
- 0 - Fast encryption
- 1 - Full encryption
- 2 – Encrypt in specified portions determined by size
-
spsize – # of MB to skip when et is set value is set to '2'
-
wipe – Value is set to "True", indicating the ransomware to proceed with file encryption
-
wht – Exclusion list of folders, files, and extensions for encryption
-
fls – List of allowed files
-
ext – List of allowed extensions
-
fld – List of allowed folders
-
Wfld – List of folders with specific names (for instance, "Backup") to delete
-
prc – List of processes to stop
-
dmn – List of domains to which the encrypted data containing encryption keys is sent
-
svc – List of services to stop
-
nbody – Base64-encoded ransom note
-
nname – Extension that is appended to the encrypted files
-
img – Base64-encoded string used to set the desktop background image
-
arn – Determines whether the encryptor will persist via the Run key
The following image shows the configuration data in the JSON file:
Once the ransomware has access to the configuration data, it proceeds to collect information about the device and identifies files for encryption.
Deletes backups and shadow copies
After identifying files to encrypt, this ransomware deletes shadow copies of files and system volumes to prevent the recovery of encrypted files. It runs the following PowerShell command to delete shadow copies:
Get-WmiObjectWin32_Shadowcopy|ForEach-Object {$_.Delete();}
Stores data in registry
This ransomware stores data that it requires for encryption in a random registry key. It stores a unique identifier (UID) to identify the system, a key to encrypt files, and a random extension that it appends to filenames after encryption.
Decrypts strings and API names
This ransomware uses a unique RC4 algorithm to decrypt specific strings and application programming interface (API) names that it requires to execute its code.
Stops processes
This ransomware stops the following processes to ensure they don’t lock files targeted for encryption:
agntsvc, dbeng50, dbsnmp, encsvc, excel, firefox, infopath, isqlplussvc, msaccess, mspub, mydesktopqos, m
ydesktopservice, ocautoupds, ocomm, ocssd, onenote, oracle, outlook, powerpnt, sqbcoreservice, sql, steam, syn
ctime, tbirdconfig, thebat, thunderbird, visio, winword, wordpad, xfssvccon
Encrypts files
This ransomware uses the Salsa20 algorithm to encrypt files. It appends a random-looking extension with three to nine alphanumeric characters to the original file names. For example, a resulting file name might be example.jpg.6y35q.
Displays ransom note
After successful encryption, the ransomware replaces the desktop background image with the following image:
The ransomware drops a text file named <string>-readme.txt in all affected folders. The file contains a ransom note indicating that files have been encrypted and providing recovery instructions. The note also includes threats about disclosing data found on the device:
Communicates with C2 server
After encrypting the files, this ransomware generates random URLs for the domains listed in the configuration file. It uses these URLs to establish a connection with the attacker’s command-and-control (C2) server and transfers the encrypted data along with the encryption keys to the server.
Some of the URLs are listed below:
- https://lorenacarnero[.]com/data/pictures/vvfhutgqqy.gif
- https://resortmtn[.]com/content/game/mnvn.gif
- https://haremnick[.]com/include/pictures/wdgltqgw.gif
- https://allentownpapershow[.]com/news/images/ghok.gif
- https://idemblogs[.]com/static/graphic/iwxyuv.png
- https://toreria[.]es/include/tmp/plpuhsnmmshd.gif
- https://boldcitydowntown[.]com/static/pics/cqjmvq.png
- https://teczowadolina.bytom[.]pl/news/temp/ifucsd.jpg
- https://faroairporttransfers[.]net/uploads/pictures/nw.jpg
- https://rushhourappliances[.]com/wp-content/temp/azacwiswuder.jpg
- https://mediaclan[.]info/static/images/xblvtt.gif
- https://digi-talents[.]com/static/assets/hyaimeegqq.jpg
- https://xtptrack[.]com/admin/tmp/upjm.png
- https://bridgeloanslenders[.]com/news/tmp/eoda.png
- https://gopackapp[.]com/content/images/gesmde.gif
- https://rimborsobancario[.]net/uploads/graphic/pffokuljjq.jpg
- https://almosthomedogrescue[.]dog/wp-content/image/mlyxlq.jpg
- https://forestlakeuca.org[.]au/data/tmp/ponpwh.gif
- https://tenacitytenfold[.]com/uploads/assets/mndvwvuu.png
- https://theapifactory[.]com/static/graphic/tegocytp.gif
- https://hannah-fink[.]de/data/images/bnwsyb.jpg
- https://you-bysia.com[.]au/news/images/ywjx.jpg
- https://centuryrs[.]com/include/temp/it.jpg
- https://asiluxury[.]com/static/game/ugnh.gif
- https://educar[.]org/uploads/pictures/xg.jpg
- https://socialonemedia[.]com/content/image/nueqijsh.gif
- https://aurum-juweliere[.]de/static/images/qekwhx.png
- https://nativeformulas[.]com/admin/game/twmggjxf.gif
- https://mrsplans[.]net/wp-content/assets/agudutnk.png
- https://corendonhotels[.]com/include/graphic/hndswgbf.jpg
- https://alten-mebel63[.]ru/news/image/dj.png
- https://abogados-en-alicante[.]es/admin/images/ovhryrtx.gif
- https://wacochamber[.]com/include/images/adbobotdlqju.png
- https://denovofoodsgroup[.]com/uploads/images/yfvsjybp.jpg
- https://spacecitysisters[.]org/uploads/pics/bmhkul.gif
- https://pixelarttees[.]com/content/tmp/ykzwvkrcny.jpg
Sample used in this analysis
This ransomware has multiple variants that exhibit varying behaviors. This analysis is based on the following sample:
498db1354a8ab657af66e7acb8df73c649e18a29ab32408989a46c39654e6337 (SHA-256)
