Threat Hunting for REvil Ransomware
REvil (short for Ransomware Evil and also referred to as Sodinokibi) ransomware is in the ransomware-as-a-service(RaaS) business. The malware is handed over to the affiliates to infect users and extort money. In turn the original REvil developers take 20-30% of the amount that the affiliates receive. The ransomware developers say that they have made more than $100 million in one year by infecting users owning large businesses. Attacks attributed to REvil were first spotted in April 2019, soon after the shutdown of the Gandcrab ransomware family. In fact, the developers of REvil have admitted that they did not build from scratch, but instead used the Grandcrab code base. In this post we describe how security operations teams can hunt for REvil ransomware and the artifacts it produces / leaves behind.
Figure 1: Tor Payment page from a REvil infected machine
To encrypt files, REvil uses elliptic curve cryptography(ECC). This allows smaller keys compared to other approaches without compromising on effectiveness of the encryption . Since its first appearance, this ransomware family has exploited vulnerabilities in software such as Windows Servers like 2012, 2012 R2 etc, as well as more recently Remote Desktop Gateway (RD Gateway).
Figure 2: REvil result from Virustotal
The configuration that the malware reads is a JSON file and it is stored in a special section of the malware binary called .iyaw in this case (Figure 3). The name changes with every new sample and the configuration is RC4 encrypted.
Figure 3: Section header containing ransomware configuration
The configuration defines the files to be excluded from encryption as well as the ransom note to be displayed. The sample configuration after being decrypted is shown in Figure 4.
Figure 4: Decrypted REvil configuration (Source: cybereason)
After encryption the wallpaper changes (Figure 5) to display that all files have been encrypted and all the instructions are in a text file (Figure 6).
Figure 5: Wallpaper changed after REvil infection
Figure 6: Note containing instruction for ransom payment
The configuration file (Figure 4) contains prc and svc fields which are process names and services that would be killed before the encryption process begins. REvil also deletes Volume Shadow Copies (VSS) using the PowerShell command shown in Figure 7.
Figure 7: Encoded Powershell command to delete VSS
Decoding the command reveals the actual command (Figure 8).
Figure 8: Decoded Powershell command
Threat Hunting for REvil
With that background, how does a security analyst uncover REvil, ideally before significant impact across the organization? After the files have been encrypted, the ransomware reaches out to over a 1000 domains generated based on information from the configuration file. Each URL contains the following pattern:
Out of these 1000 domains, many are legitimate while others are C2 servers owned by the REvil operators which receive information from the infected machine. This technique allows the attackers to hide the real attacker servers. All the communication happens in TLS and the SNI can be seen in Figure 9.
Figure 9: SNIs reached by REvil
From having looked at multiple REvil samples, it appears that the TLS cipher suites (Figure 10) are always constant for any domain accessed by the ransomware.
Figure 10: TLS cipher suites for domains accessed by REvil
Similarly, the TLS client extension codes also remain constant across all domains.
Figure 11: TLS client extension codes for REvil C2 domains
The fact that the TLS fields are identical across all of the REvil session can be observed using TLS fingerprinting. This fact can be used with a technology like JA3 and can be fine tuned for true positives by using additional analytics. Specifically, the JA3 hash of the REvil traffic is 1d095e68489d3c535297cd8dffb06cb9. However, simply relying on this hash is likely to lead to false positives. For instance, searching customer networks for the same JA3 hash showed some traffic that was clearly not ransomware (Figure 12).
Figure 12: JA3 False Positive; Basespace AWS API Traffic
This is where deep security analytics can help. For instance, it is possible to identify devices within this list that have the behavior described above where thousands of different destinations are accessed in quick succession.
Within the Awake Security Platform, Ava, performs this analysis automatically for you much like an experienced threat hunter. For instance, Ava will automatically connect the dots across the different behaviors we described above to triage and narrow down to just the trust positives. Ava can also account for threat intelligence and open source intelligence indicators to confirm the compromise and recommend next steps for investigation and response. Finally, Ava can trigger response actions by integrating with the rest of the organization’s security and IT infrastructure. Especially when dealing with ransomware, speed of remediation is of the essence and the automated triage, investigation and response that Ava brings to this process helps mitigate impact.
Figure 13: Awake Situation for REvil ransomware detection
It is recommended to backup all important data to external drives or in the cloud for better security. Additionally, organizations should protect and monitor all the early vectors of ransomware. This includes protecting email and securely working with attachments especially from unknown sources as well as monitoring and protecting the entire attack surface e.g. externally exposed remote desktop or VPN services etc.. Finally, identify the sequence and patterns of communication we describe in this blog post and hunt for those to uncover the presence of REvil on your network.
Dig Deeper with These Resources
Awake Security 2 Minute Explainer Video
What if security could think? What if it could sense danger, calculate risk, and react quickly based…
The Internet’s New Arms Dealers: Malicious Domain Registrars
This report dives into the results of a multi-month investigation that uncovered a massive global surveillance campaign…