{ "id": "e487532d-f293-4feb-b531-1f0af670d593", "created_at": "2026-04-06T00:12:58.498763Z", "updated_at": "2026-04-10T03:36:33.950802Z", "deleted_at": null, "sha1_hash": "17c4df446f3606e873f589bfdec1dcfa3be55abc", "title": "REvil ransomware attack against MSPs and its clients around the world", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1204748, "plain_text": "REvil ransomware attack against MSPs and its clients around the\r\nworld\r\nBy Kaspersky\r\nPublished: 2021-07-05 · Archived: 2026-04-02 11:12:04 UTC\r\nResearch\r\nResearch\r\n05 Jul 2021\r\n 2 minute read\r\nhttps://securelist.com/revil-ransomware-attack-on-msp-companies/103075/\r\nPage 1 of 6\n\nAn attack perpetrated by REvil aka Sodinokibi ransomware gang against Managed Service Providers (MSPs) and\r\ntheir clients was discovered on July 2. Some of the victims have reportedly been compromised through a popular\r\nMSP software which led to encryption of their customers. The total number of encrypted businesses could run into\r\nthousands.\r\nREvil ransomware has been advertised on underground forums for three years and it is one of the most prolific\r\nRaaS operations. According to an interview with the REvil operator, the gang earned over $100 million from its\r\noperations in 2020. The group’s activity was first observed in April 2019 after the shutdown of GandCrab, another\r\nnow-defunct ransomware gang. More details about that gang can be found in our articles Ransomware world in\r\n2021: who, how and why and Sodin ransomware exploits Windows vulnerability and processor architecture.\r\nIn this latest case, the attackers deployed a malicious dropper via the PowerShell script, which, in turn, was\r\nexecuted through the vendor’s agent:\r\nThis script disables Microsoft Defender features and then uses the certutil.exe utility to decode a malicious\r\nexecutable (agent.exe) that drops a legitimate Microsoft binary (MsMpEng.exe, an older version of Microsoft\r\nDefender) and malicious library (mpsvc.dll), which is the REvil ransomware. This library is then loaded by the\r\nlegitimate MsMpEng.exe by utilizing the DLL side-loading technique (T1574.002).\r\nhttps://securelist.com/revil-ransomware-attack-on-msp-companies/103075/\r\nPage 2 of 6\n\nExecution map for the “agent.exe” dropper – Kaspersky Cloud Sandbox\r\nUsing our Threat Intelligence service, we observed more than 5,000 attack attempts in 22 countries by the time of\r\nwriting.\r\nhttps://securelist.com/revil-ransomware-attack-on-msp-companies/103075/\r\nPage 3 of 6\n\nGeography of attack attempts (based on KSN statistics)\r\nREvil uses the Salsa20 symmetric stream algorithm for encrypting the content of files and the keys for it with an\r\nelliptic curve asymmetric algorithm. Decryption of files affected by this malware is impossible without the\r\ncybercriminals’ keys due to the secure cryptographic scheme and implementation used in the malware.\r\nKaspersky products protect against this threat and detect it with the following names:\r\nUDS:DangerousObject.Multi.Generic\r\nTrojan-Ransom.Win32.Gen.gen\r\nTrojan-Ransom.Win32.Sodin.gen\r\nTrojan-Ransom.Win32.Convagent.gen\r\nPDM:Trojan.Win32.Generic (with Behavior Detection)\r\nSection of Kaspersky TIP lookup page for the 0x561CFFBABA71A6E8CC1CDCEDA990EAD4 binary\r\nThe vendor whose software was reportedly compromised, issued a special advisory which is being periodically\r\nupdated.\r\nTo keep your company protected against ransomware 2.0 attacks, Kaspersky experts recommend:\r\nNot exposing remote desktop services (such as RDP) to public networks unless absolutely necessary and\r\nalways using strong passwords for them.\r\nhttps://securelist.com/revil-ransomware-attack-on-msp-companies/103075/\r\nPage 4 of 6\n\nPromptly installing available patches for commercial VPN solutions providing access for remote\r\nemployees and acting as gateways in your network.\r\nAlways keeping software updated on all the devices you use to prevent ransomware from exploiting\r\nvulnerabilities.\r\nFocusing your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay\r\nspecial attention to the outgoing traffic to detect cybercriminals’ connections. Back up data regularly. Make\r\nsure you can quickly access it in an emergency when needed. Use the latest Threat Intelligence information\r\nto stay aware of actual TTPs used by threat actors.\r\nUsing solutions like Kaspersky Endpoint Detection and Response and the Kaspersky Managed Detection\r\nand Response service which help to identify and stop attacks at the early stages, before the attackers reach\r\ntheir main goals.\r\nProtecting the corporate environment and educating your employees. Dedicated training courses can help,\r\nsuch as those provided in the Kaspersky Automated Security Awareness Platform. A free lesson on how to\r\nprotect against ransomware attacks is available here.\r\nUsing a reliable endpoint security solution such as Kaspersky Endpoint Security for Business that is\r\npowered by exploit prevention, behavior detection and a remediation engine that can roll back malicious\r\nactions. KESB also has self-defense mechanisms that can prevent its removal by cybercriminals.\r\nIndicators of Compromise\r\nagent.cer (encrypted agent.exe)\r\n95F0A946CD6881DD5953E6DB4DFB0CB9\r\nagent.exe\r\n561CFFBABA71A6E8CC1CDCEDA990EAD4\r\nmpscv.dll, REvil ransomware\r\n7EA501911850A077CF0F9FE6A7518859\r\nA47CF00AEDF769D60D58BFE00C0B5421\r\nhttps://securelist.com/revil-ransomware-attack-on-msp-companies/103075/\r\nPage 5 of 6\n\nLatest Posts\r\nLatest Webinars\r\nReports\r\nKaspersky researchers analyze updated CoolClient backdoor and new tools and scripts used in HoneyMyte (aka\r\nMustang Panda or Bronze President) APT campaigns, including three variants of a browser data stealer.\r\nKaspersky discloses a 2025 HoneyMyte (aka Mustang Panda or Bronze President) APT campaign, which uses a\r\nkernel-mode rootkit to deliver and protect a ToneShell backdoor.\r\nKaspersky GReAT experts analyze the Evasive Panda APT’s infection chain, including shellcode encrypted with\r\nDPAPI and RC5, as well as the MgBot implant.\r\nKaspersky expert describes new malicious tools employed by the Cloud Atlas APT, including implants of their\r\nsignature backdoors VBShower, VBCloud, PowerShower, and CloudAtlas.\r\nSource: https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/\r\nhttps://securelist.com/revil-ransomware-attack-on-msp-companies/103075/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/" ], "report_names": [ "103075" ], "threat_actors": [ { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f35997d9-ca1e-453f-b968-0e675cc16d97", "created_at": "2023-01-06T13:46:39.490819Z", "updated_at": "2026-04-10T02:00:03.345364Z", "deleted_at": null, "main_name": "Evasive Panda", "aliases": [ "BRONZE HIGHLAND" ], "source_name": "MISPGALAXY:Evasive Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434378, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/17c4df446f3606e873f589bfdec1dcfa3be55abc.pdf", "text": "https://archive.orkl.eu/17c4df446f3606e873f589bfdec1dcfa3be55abc.txt", "img": "https://archive.orkl.eu/17c4df446f3606e873f589bfdec1dcfa3be55abc.jpg" } }