Integer value that is only referenced if the "net" key is set to send basic host and malware information to the C2 server likely associated with the sub key and could be a campaign or affiliate identifier True/false value that determines if REvil should attempt to exfiltrate basic host and malware information to the configured C2 servers listed in the dmn key True/false value that determines how files larger than 65535 bytes are encryptedīase64-encoded value of the text placed at the top of the background image created and set by REvilīase64-encoded value of the ransomware note text dropped in folders where files were encryptedįilename string of the ransomware note dropped in folders where files were encrypted True/false value that determines if REvil should attempt to elevate privileges by exploiting a local privilege escalation (LPE) vulnerability Semicolon-delimited list of fully qualified domain names that represent REvil command and control (C2) servers True/false value used by the malware author during development (referenced only when determining if the victim is Russian)
Passing the -nolan switch to the REvil executable disables this functionality. By default, REvil attempts to identify attached network shares and encrypt their contents. An additional REvil configuration parameter not located within the configuration JSON is the "-nolan" switch, which can be passed to the ransomware executable at runtime. Table 1 lists the configuration keys and their purpose. As a result, the values in these keys are truncated.įigure 2. In the sample shown in Figure 2, word-wrapping was disabled due to the value length within the "dmn" and "nbody" configuration keys. The decoded value is a JSON-formatted string that contains the configurable REvil elements. REvil executable resource containing the encoded configuration and the decode key. The remaining bytes are the encoded configuration.įigure 1. The first 32 bytes of this resource form the key used to decode the configuration.
m69 (see Figure 1) within the unpacked binary. The REvil sample analyzed by CTU researchers stored the encoded configuration as a resource named.
Secureworks® Counter Threat Unit™ (CTU) analysis suggests that REvil is likely associated with the GandCrab ransomware due to similar code and the emergence of REvil as GandCrab activity declined.
It is used by the financially motivated GOLD SOUTHFIELD threat group, which distributes ransomware via exploit kits, scan-and-exploit techniques, RDP servers, and backdoored software installers.
The REvil (also known as Sodinokibi) ransomware was first identified on April 17, 2019.