{
	"id": "d7039069-a079-42fd-bf0d-0964dbed4ea1",
	"created_at": "2026-04-06T00:18:49.62927Z",
	"updated_at": "2026-04-10T03:20:18.754174Z",
	"deleted_at": null,
	"sha1_hash": "3ad510618f2e23bbea51896b5aea8be197bda628",
	"title": "REvil Ransomware-as-a-Service: An analysis of a ransomware affiliate operation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 143807,
	"plain_text": "REvil Ransomware-as-a-Service: An analysis of a ransomware affiliate\r\noperation\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 18:08:54 UTC\r\nBy the Intel 471 Malware Intelligence team.\r\nSummary\r\nREvil aka Sodinokibi, Sodin is a ransomware family operated as a ransomware-as-a-service (RaaS). Deployments of REvil\r\nfirst were observed in April 2019, where attackers leveraged a vulnerability in Oracle WebLogic servers tracked as CVE-2019-2725.\r\nREvil is highly configurable and allows operators to customize the way it behaves on the infected host. Some of its features\r\ninclude:\r\nExploits a kernel privilege escalation vulnerability to gain SYSTEM privileges using CVE-2018-8453.\r\nWhitelists files, folders and extensions from encryption.\r\nKills specific processes and services prior to encryption.\r\nEncrypts files on local and network storage.\r\nCustomizes the name and body of the ransom note, and the contents of the background image.\r\nExfiltrates encrypted information on the infected host to remote controllers.\r\nREvil uses Hypertext Transfer Protocol Secure (HTTPS) for communication with its controllers.\r\nCapabilities Overview\r\nRansomware.\r\nBehaviour Overview\r\nUses a persistence mechanism.\r\nEncrypts additional resources.\r\nSupports privilege escalation.\r\nAdversary intelligence\r\nDevelopers\r\nREvil ransomware first was advertised on a Russian language cybercrime forum in June 2019. The main actor associated\r\nwith advertising and promoting REvil ransomware is called Unknown aka UNKN. The RaaS is operated as an affiliate\r\nservice, where affiliates spread the malware by acquiring victims and the REvil operators maintain the malware and\r\npayment infrastructure. Affiliates receive 60% to 70% of the ransom payment.\r\nDue to source code and behavior similarities between REvil and GandCrab, it was suggested there might be a connection\r\ntying the developers of the two ransomware families together. In addition to the similarities in the code, supplemental\r\nevidence tying GandCrab and REvil together is that GandGrab officially \"retired\" just before REvil appeared in the wild.\r\nREvil is maintained actively and is under constant development, just as GandCrab was. The most recent REvil ransomware\r\nat the time of this report was version 2.1.\r\nThe actor Unknown acknowledged the public reports linking REvil to GandCrab with the following statement:\r\n“We used to be affiliates of the (GandCrab) affiliate program. We bought the source code and started our own\r\nbusiness. We developed custom features for our purposes”\r\nDespite the plausible alibi given by actor Unknown, the evidence suggests that REvil is a continuation of the GandCrab\r\nRaaS operation with new software, but operated by the same individuals.\r\nThe actors behind REvil include their master public key in all REvil binaries. Therefore, they are able to decrypt the files\r\nindependently of the affiliates running the campaigns.\r\nOperators\r\nREvil is a RaaS, in the sense that a single group operates and manages the development of the ransomware while access is\r\nsold to affiliates. A field in the configuration file named pid is used to identify the affiliate that the sample belongs to. We\r\nhave confirmed that a field in the malware configuration named sub is used to identify affiliate campaigns, and not the\r\nhttps://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/\r\nPage 1 of 10\n\naffiliates themselves, as frequently is reported. In addition, the attacker's public key can identify the same operator when\r\nused across multiple samples.\r\nTwo prominent users on the aforementioned Russian language cybercrime forum vouched for Unknown's ransomware\r\nservice:\r\nkerberos - A moderator on the aforementioned forum and long-standing cybercriminal.\r\nlalartu - A cybercrime actor known to participate in GandCrab and REvil ransomware affiliate programs.\r\nThe actor lalartu's personal information possibly was released for malicious purposes or \"doxxed\" by an information\r\nsecurity researcher known as UnderTheBreach (see: https://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80). We have not been able to verify the conclusions asserted in this post.\r\nInfrastructure\r\nREvil ransomware configurations contain more than 1,000 controllers. Interestingly, the live domains we verified all were\r\nWordPress websites, so it is probable they might be compromised by the operators or purchased from other cybercriminals.\r\nThe configuration also contains domain names that were not registered at the time of this report, for example:\r\n$ whois andersongilmour[.]co[.]uk No match for \"andersongilmour[.]co[.]uk.\"\r\nThis domain name was not registered at the time of this report.\r\nIt is likely most of the domains present in the configuration are decoys, with only a few real REvil controllers scattered\r\ninside the list.\r\nDetection\r\nThis section describes the methods used to detect a REvil sample.\r\nStatic Detection\r\nUnpacked REvil samples can be detected statically by looking up patterns in the code and in cryptographic functions used\r\nby the ransomware.\r\nDynamic Detection\r\nDynamic detection of REvil samples is possible by running Yara signatures on the memory resident image. In addition, the\r\nransomware creates the following interesting artifacts:\r\nA .txt file with a ransom note on each directory encrypted by the ransomware.\r\nA .bmp image in the temporary directory set as the desktop background after the encryption.\r\nA registry key SOFTWARE which can be present under either HKEY_LOCAL_MACHINE or\r\nHKEY_CURRENT_USER.\r\nAn alphanumeric file extension between 5 and 10 characters in length appended to the original extension of an\r\nencrypted file.\r\nYara Signatures\r\nWe decided not to release Yara signatures to avoid burning them and affecting the work of other researchers. However, we\r\nwill release them to network defenders and infosec professionals upon request. Email us at revil-yara-reqREMOVEME@intel471[.]com (remove the \"REMOVEME\" text from the email address) from your corporate email\r\naddress (for validation purposes only) and we will send through our Yara signatures.\r\nExploits\r\nREvil ransomware exploits a kernel privilege escalation vulnerability in win32k.sys tracked as CVE-2018-8453 to gain\r\nSYSTEM privileges on the infected host. If the configuration instructs a sample to execute this exploit, it will allocate\r\nexecutable memory, decrypt the exploit code in the newly allocated region and invoke it.\r\nThe screenshot below shows the window name sysshadow and the application programming interface (API)\r\nDestroyWindow inside the embedded exploit, proving it is the CVE-2018-8453 vulnerability.\r\nimage1 300x175\r\nOpen Source Intelligence (OSINT)\r\nFor more information on REvil, we suggest the following public resources:\r\nREvil/Sodinokibi Ransomware (see: https://www.secureworks.com/research/revil-sodinokibi-ransomware ).\r\nhttps://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/\r\nPage 2 of 10\n\nMcAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us (see:\r\nhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/ ).\r\nTracking REvil (see: https://www.kpn.com/security-blogs/Tracking-REvil.htm ).\r\nDefeating Sodinokibi/REvil String-Obfuscation in Ghidra (see: https://blag.nullteilerfrei.de/2020/02/02/defeating-sodinokibi-revil-string-obfuscation-in-ghidra/ ).\r\nStatic Analysis\r\nREvil ransomware incorporates techniques to make the task of static analysis more difficult for an analyst. Most of the\r\nstrings used during execution are decrypted at runtime only when needed. In addition, the imports are resolved dynamically\r\nfrom 32-bit hashes and placed into global variables early in execution.\r\nHard-coded Strings\r\nVery few strings are hard coded inside REvil ransomware samples and the most interesting are:\r\nL“ServicesActive”: This string is passed to the OpenSCManagerW API to retrieve active services.\r\n“expand 32-byte kexpand 16-byte”: The constants used by the Salsa20 symmetric encryption algorithm.\r\nString Encryption\r\nREvil ransomware decrypts most of the strings it uses during execution at runtime.\r\nimage7 300x199\r\nAs the screenshot above reveals, these strings are Rivest Cipher 4 (RC4) encrypted and are decrypted using a function we\r\nrenamed to rc4_decrypt_string. Below is its prototype and the meaning of each parameter:\r\nvoid rc4_decrypt_string(BYTE *rc4_array, int rc4_key_offset, int rc4_key_length, int buffer_length, BYTE\r\n*out_buffer)\r\nrc4_array: A pointer to a contiguous array in the .data section containing the RC4 keys and the encrypted strings.\r\nEach RC4 key is followed directly by the string it decrypts.\r\nrc4_key_offset: The offset to the RC4 key within the array.\r\nrc4_key_length: The length of the RC4 key.\r\nbuffer_length: The length of the RC4 encrypted buffer.\r\nout_buffer: Pre-allocated memory or stack space where the decrypted string is copied.\r\nThe image below shows the layout of two adjacent elements of the array:\r\nimage2 300x49\r\nThe decrypted strings are not terminated by NULL characters, therefore, the code must terminate these strings explicitly.\r\nMalware Behavior\r\nThe behavior of the following samples was analyzed for this report:\r\nSample SHA256\r\nREvil packed 6953d86d09cb8ed34856b56f71421471718ea923cd12c1e72224356756db2ef1\r\nREvil not packed 372c8276ab7cad70ccf296722462d7b8727e8563c0bfe4344184e1bc3afc27fc\r\nREvil not packed ec0c653d5e10fec936dae340bf97c88f153cc0cdf7079632a38a19c876f3c4fe\r\nProcess Execution\r\nDuring its initialization phase, REvil starts by dynamically resolving the imports it needs to function correctly. This is\r\naccomplished in a loop that reads hard-coded 32-bit values from an array in the .data section, then each value is decoded and\r\nresolved to the correct API by the responsible function rvl_resolve_api. Then the 32-bit value is overwritten with the\r\npointer to the API.\r\nimage4 300x227\r\nAs shown in the disassembly above, additional APIs are resolved by their names with the help of the GetProcAddress API.\r\nWith everything in place, REvil creates a global mutual exclusion object (mutex) with a hard-coded name i.e.,\r\nGlobal\\1DE3C565-E22C-8190-7A66-494816E6C5F5. This is used to ensure only a single instance of the ransomware\r\nsample is running.\r\nhttps://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/\r\nPage 3 of 10\n\nThe REvil ransomware always attempts to run with elevated privileges and does so using two techniques. One technique\r\nrelies on exploiting the CVE-2018-8453 vulnerability to gain SYSTEM privileges on the host. However, to determine\r\nwhether it should execute the exploit or not, REvil checks its configuration. Another technique always is executed if the\r\nprocess is not elevated. It relies on calling ShellExecuteW to prompt the user to run the sample as an administrator. This is\r\naccomplished in an infinite loop until the user agrees to run the elevated process. Starting with version 2.1, the privilege\r\nescalation exploit code was removed.\r\nREvil’s configuration is in JavaScript Object Notation (JSON) and is initially RC4 encrypted. It is stored in the following\r\nfashion at the beginning of a portable executable (PE) section named .yhwfq9:\r\nimage6 300x67\r\nIt is important to mention the cyclic redundancy check (CRC32) value is calculated and validated for the encrypted\r\nconfiguration.\r\nAfter decrypting the configuration in dynamically allocated memory, REvil parses it using the open-source json-parser C\r\nlibrary (see: https://github.com/udp/json-parser). For an example of a REvil configuration, see the Appendix section below.\r\nThe first JSON field checked is exp, which can be true or false and indicates whether the CVE-2018-8453 vulnerability\r\nshould be exploited. If the exploit isn’t executed or failed, REvil resorts to the second technique previously described in this\r\nsection.\r\nWhen REvil executes with higher privileges, it starts its main initialization phase where it reads the necessary JSON fields\r\ninto the .data section and initializes registry values inside a new subkey named SOFTWARE. When doing registry\r\noperations in general, REvil first tries to use the HKEY_LOCAL_MACHINE hive and it switches to use\r\nHKEY_CURRENT_USER only if that fails. The configuration fields, registry keys and their values are described in the\r\nbelow Configuration section.\r\nThe other important task in this phase is filling the ransom note template, which is present in base64 inside the configuration\r\nfield nbody.\r\n---=== Welcome. Again. ===---\r\n[+] Whats Happen? [+]\r\nYour files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}.\r\nBy the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return\r\nyour data (NEVER).\r\n[+] What guarantees? [+]\r\nIts just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and\r\nliabilities - nobody will not cooperate with us. Its not in our interests.\r\nTo check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our\r\nguarantee.\r\nIf you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we\r\nhave the private key. In practise - time is much more valuable than money.\r\n[+] How to get access on website? [+]\r\nYou have two ways:\r\n1) [Recommended] Using a TOR browser!\r\na) Download and install TOR browser from this site: https://torproject.org/\r\nb) Open our website: hxxp://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd[.]onion/{UID}\r\n2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:\r\na) Open your any browser (Chrome, Firefox, Opera, IE, Edge)\r\nb) Open our secondary website: hxxp://decryptor[.]cc/{UID}\r\nWarning: secondary website can be blocked, thats why first variant much better and more available.\r\nWhen you open our website, put the following data in the input form:\r\nKey:\r\n{KEY}\r\nExtension name:\r\n{EXT}\r\n-----------------------------------------------------------------------------------------\r\nhttps://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/\r\nPage 4 of 10\n\n!!! DANGER !!!\r\nDONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its\r\nmay entail damge of the private key and, as result, The Loss all data.\r\n!!! !!! !!!\r\nONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for\r\nrestoring, but please should not interfere.\r\n!!! !!! !!!\r\nREvil fills this template with a file extension (EXT), a user identifier (UID) and a key (KEY):\r\nThe extension is generated randomly from alphanumeric characters and is between 5 and 10 characters in length.\r\nThe user identifier is a hardware ID generated from the main volume’s serial number and the system’s CPU\r\ninformation. This ID is calculated as follows:Retrieve the main volume 32-bit serial number.Generate a CRC32\r\nchecksum of the volume serial with a seed value equal to 1337.Retrieve central processing unit (CPU) information\r\ni.e., “Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz.”Generate a CRC32 checksum of the CPU information string\r\nwith the volume serial CRC32 hash as a seed value.Concatenate the CPU information CRC32 hash with the volume\r\nserial number into a 16-byte hexadecimal string i.e., 8100F233BC097E90.\r\nThe key submitted by the victim to the operator through the website is a JSON string:\r\n{ \"ver\":\"%d\", # REvil's version: hard coded to 0x200 (v2.00). \"pid\":\"%s\", # The \"pid\" field in the\r\nconfiguration. \"sub\":\"%s\", # The \"sub\" field in the configuration. \"pk\":\"%s\", # The public key \"pk\" field in\r\nthe configuration. \"uid\":\"%s\", # The hardware ID. \"sk\":\"%s\", # The victim's generated secret key encrypted with\r\nthe \"pk\" public key. This key is necessary for decryption. \"unm\":\"%s\", # The username of the Windows account.\r\n\"net\":\"%s\", # The computer name. \"grp\":\"%s\", # The domain name. \"lng\":\"%s\", # Language i.e., \"fr-FR\". \"bro\":%s,\r\n# \"true\" or \"false\". Is immune to infection, whitelisted language and keyboard layout. \"os\":\"%s\", # Windows\r\nproduct name. \"bit\":%d, # CPU architecture: 86 or 64. \"dsk\":\"%s\", # A base64 encoded structure with information\r\non the mounted volumes. \"ext\":\"%s\" # The encrypted files extension i.e., \".g19b9wy\" }\r\nThis is encrypted with a hard-coded public key in the binary code before it is stored in the registry and the template. It also\r\nis communicated to the controllers later in execution. See the Encryption section below for information on how REvil\r\nencrypts data.\r\nNext, REvil checks the configuration field dbg to see if it’s running in debug mode. If that is not the case, geolocation\r\nchecks based on the system’s language and the keyboard layout are conducted so the ransomware does not attempt to\r\nencrypt files on whitelisted systems. The following are whitelisted system language IDs for the analyzed sample:\r\nimage3 300x155\r\nThe whitelisted keyboard layouts include:\r\nRomanian\r\nRussian\r\nUkrainian\r\nBelarusian\r\nEstonian\r\nLatvian\r\nLithuanian\r\nTajik\r\nPersian\r\nArmenian\r\nAzerbaijani\r\nGeorgian\r\nKazakh\r\nKyrgyz\r\nTurkmen\r\nUzbek\r\nTatar\r\nFor the check to succeed and REvil to exit, both a whitelisted system language and a whitelisted keyboard layout must be\r\npresent. Otherwise, the ransomware continues its execution normally.\r\nAt this stage, REvil performs the following actions before starting the encryption. First, it will try to stop and delete services\r\nif the names match one of the regular expressions in the svc JSON configuration list, for example:\r\n\u003cstrong\u003e\"svc\":\u003c/strong\u003e[ \"memtas\", \"crm\", \"quickbooks\", \"svc$\", \"veeam\", \"oracle\", \"mepocs\", \"exchange\",\r\n\"pos\", \"vss\", \"sql\", \"backup\", \"qb\", \"sophos\", \"sage\" ]\r\nThen it will terminate all processes with names that match the elements of the prc JSON array, for instance:\r\nhttps://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/\r\nPage 5 of 10\n\n\u003cstrong\u003e\"prc\":\u003c/strong\u003e[ \"w3wp\", \"thunderbird\", \"mydesktopqos\", \"powerpnt\", \"outlook\", \"srv\", \"infopath\",\r\n\"msaccess\", \"ocautoupds\" ]\r\nFinally REvil will delete the volume shadow copies. The way this is accomplished depends on the Windows version:\r\nWindows versions 5.1 and earlier:\r\ncmd.exe /c vssadmin.exe Delete Shadows /All /Quiet \u0026 bcdedit /set {default} recoveryenabled No \u0026 bcdedit /set\r\n{default} bootstatuspolicy ignoreallfailures\r\nWindows versions 5.2 and later, under PowerShell:\r\nGet-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}\r\nAt this stage, REvil enters the file encryption phase. It is possible to run REvil with command-line arguments that will\r\nimpact how encryption is carried out. The following table describes these arguments:\r\nArgument Description\r\n-full Encrypts all the data in the target files.\r\n-fast Only encrypts the first MB of each file. Mutually exclusive with the -full argument.\r\n-path\r\nRecursively encrypts the files inside a single directory specified after the argument. The desktop\r\nbackground image remains unchanged when this argument is supplied.\r\n-nolan Does not encrypt files on shared network storage.\r\n-nolocal Does not encrypt files on local storage.\r\nTwo values that the et configuration field can take are equivalent to the command-line arguments -full and -fast.\r\nAdditionally, the presence of one of these command-line arguments overrides the value of this field. Below are the values\r\nthis field can take with a description of each value:\r\nEncryption type\r\nvalues\r\nDescription\r\n0 Equivalent to the command-line argument -full\r\n1 Equivalent to the command-line argument -fast\r\n2\r\nEncrypts 1 MB then skips the number of MBs supplied in the spsize field repeatedly, until the\r\nend of the file is reached.\r\nBefore encrypting a file or directory, REvil determines whether its name matches any entry in the whitelist configuration\r\nentries. The whitelisted folders, files and extensions are lists stored in the wht JSON configuration field as fld, fls and ext.\r\nREvil ransomware also avoids encrypting a file more than once by determining if it previously was encrypted. This is\r\nachieved by examining whether the metadata it stores at the end of encrypted files exists.\r\nTo encrypt the files, REvil relies on multithreading and input/output (I/O) completion ports, allowing it to perform\r\nasynchronous I/O and process multiple files simultaneously.\r\nEach file is encrypted with a different key derived from a single public key linked to the victim. See the Encryption section\r\nbelow for details on how REvil implements file encryption.\r\nAfter the encryption is complete, REvil generates a bitmap image and sets it as the desktop background.\r\nimage5 300x95\r\nAfterward, REvil ransomware reads the Boolean configuration field net to determine whether it should communicate with\r\nits controllers. See the Communications section below for more details.\r\nFinally, REvil ransomware marks its binary code for deletion during the next reboot and terminates execution.\r\nConfiguration\r\nThe table below describes each field of the REvil JSON configuration:\r\nArgument Description\r\npk The attacker’s public key encoded in base64.\r\nhttps://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/\r\nPage 6 of 10\n\npid The affiliate ID. In v2.0 and earlier, this was an integer. From 2.1 it became a Bcrypt hash.\r\nsub An integer value. The campaign identifier.\r\ndbg Boolean value that determines if REvil should run in debug mode.\r\net\r\nAn integer value specifying the encryption type.- 0: Fast encryption. - 1: Full encryption. - 2: Encrypt 1\r\nMB then skip the number of MBs specified by the spsize field.\r\nspsize Specifies the number of MBs to skip when the encryption type is 2.\r\nwipe\r\nA Boolean value that indicates whether REvil should wipe folders specified in the wfld element. We have\r\nnot seen this option implemented in the analyzed samples.\r\nwfld The folders to be wiped by REvil.\r\nwht\r\nContains three lists of elements that REvil will not encrypt: - fld: Whitelisted folders. - fls: Whitelisted\r\nfiles. - ext: Whitelisted extensions.\r\nprc A list of regular expressions that REvil matches against processes to terminate them.\r\nnet If this Boolean value is set to true, REvil communicates with its controllers.\r\ndmn A string of controllers separated by a semicolon.\r\nsvc A list of regular expressions to match against running services to stop and delete them.\r\nnbody The template of the ransom note encoded in base64.\r\nnname The file name of the ransom note to be dropped inside encrypted directories.\r\nexp Indicates if REvil should exploit the CVE-2018-8453 vulnerability to escalate privileges.\r\nimg The text to be written in the background image encoded in base64.\r\narn When set to true, REvil persists in the system.\r\nThe registry values that REvil creates are described below:\r\nValue name Description\r\n1TfXk Victim’s secret key encrypted with the attacker’s public key present in the configuration.\r\n2YEdLY Victim’s secret key encrypted with a master public key hard coded in the binary code.\r\naah The attacker’s public key.\r\nfdle The victim’s public key.\r\nAaZW1s3 The extension appended to files after encryption.\r\nQaUXNv2P The victim’s key encrypted with a second hard-coded public key in the binary code.\r\nEncryption\r\nREvil ransomware implements encryption schemes involving an elliptic curve called Curve25519, Salsa20, SHA-3, CRC32\r\nand Advanced Encryption Standard (AES). We identified the specific open-source implementations utilized by REvil:\r\nCurve25519: https://github.com/vstakhov/opt-cryptobox/tree/master/curve25519 .\r\nSalsa20: https://cr.yp.to/snuffle/salsa20/merged/salsa20.c .\r\nThis subsection delves into the details of how these algorithms are used to encrypt data and files.\r\nEncryption keys\r\nREvil ransomware relies on Curve25519 to generate public and secret key pairs and to create shared keys for encryption.\r\nWhat follows defines the Curve25519 keys referred to throughout this subsection:\r\nKey-pair name Description\r\ncrypt (crypt_public/crypt_secret) The victim’s main key pair used for file encryption.\r\nfile (file_public / file_secret) A random key pair generated for each encrypted file.\r\nhttps://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/\r\nPage 7 of 10\n\nattacker (attacker_public /\r\nattacker_secret)\r\nThe attacker’s key pair. attacker_public is present under the pk configuration\r\nfield.\r\nmaster (master_public /\r\nmaster_secret)\r\nThe master key pair. master_public is hard coded inside the binary code and is\r\nthe same across all REvil samples.\r\nuser_config (user_config_public /\r\nuser_config_secret)\r\nThe user configuration key pair. user_config_public is hard coded in the\r\nbinary code and is used to encrypt the user key we find encrypted in the\r\nransom note.\r\nData encryption\r\nREvil ransomware encrypts all important data it stores in the registry. For instance, the user key present in the ransom note\r\nand in the registry is a JSON dictionary encrypted using the method we describe in the paragraphs that follow.\r\nTo encrypt a buffer, REvil invokes the following function:\r\nBYTE* rvl_encrypt_data(BYTE *hispublic, BYTE *buffer, int buffer_length, BYTE *out_buffer_length)\r\nThis function requires a 32-byte Curve25519 public key, a buffer to encrypt and its length. The end result is a pointer to the\r\nbuffer in the return value and its length in the output parameter out_buffer_length.\r\nInternally, this function performs the following actions:\r\nAllocate buffer_length bytes plus an extra 56 bytes to hold the final data.\r\nZero out the first 4 bytes of the allocated buffer.\r\nCopy the buffer to encrypt after the zeroed double word.\r\nGenerate a new Curve25519 key pair we call new_public and new_secret.\r\nCalculate a Curve25519 shared key between the hispublic key supplied in the arguments and the new_secret. The\r\nrecipient of the message can use the secret key and new_public to obtain the same shared key.\r\nHash the shared key using the SHA-3 algorithm.\r\nClear the shared key from memory.\r\nClear new_secret from memory.\r\nGenerate a random 128-bit AES initialization vector.\r\nEncrypt the buffer using AES with the SHA-3 hash as a key. The buffer to encrypt includes the prepended 32-bit\r\nNULL value.\r\nClear the SHA-3 hash from memory.\r\nCalculate the CRC32 of the encrypted buffer.\r\nAppend the following elements to the encrypted buffer in this order:\r\nThe generated new_public key (32 bytes).\r\nThe initialization vector (16 bytes).\r\nCRC32 of the encrypted buffer (4 bytes).\r\nThe end result looks like:\r\nimage8 300x71\r\nAs an example, after decoding the user key present in the ransom note using base64, we see it respects this same format:\r\nimage10 300x117\r\nIn order for the attackers to decrypt this data and retrieve the JSON dictionary and as a result the encrypted victim’s\r\ncrypt_secret key, they must do the following:\r\nVerify the CRC32 hash of the encrypted data.\r\nCalculate a Curve25519 shared key using the new_public key in the data and the attacker’s secret user_config_secret.\r\nHash the shared key using SHA-3.\r\nRetrieve the AES initialization vector and decrypt the buffer using AES.\r\nRemove the NULL double word at the start of the buffer.\r\nIt is important to mention the victim’s crypt_secret key is encrypted the same way using the attacker’s attacker_public key\r\n(registry value “1TfXk”) and the master_public key (registry value “2YEdLY”).\r\nFile encryption\r\nREvil ransomware encryption works by encrypting the files in 1 MB increments unless the file size is smaller, the remaining\r\nbytes to encrypt are less than 1 MB or when the encryption type specified is not full encryption. Contents of the file are read,\r\nencrypted and written back to the file overwriting the original content. After the encryption is complete, metadata is written\r\nto the end of file and the file is renamed to include the generated file extension (registry value AaZW1s3).\r\nhttps://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/\r\nPage 8 of 10\n\nFor each given file, REvil ransomware starts encryption by initializing a structure used throughout the process. Its first part\r\nincludes the Windows OVERLAPPED structure used for asynchronous I/O followed by custom fields REvil uses. The most\r\ninteresting part of this structure was reverse engineered to the following:\r\n\u003cstrong\u003etypedef\u003c/strong\u003e \u003cstrong\u003estruct\u003c/strong\u003e _rvl_filecrypt_struct { OVERLAPPED Overlapped;\r\n\u003cem\u003e/*..SNIP..*/\u003c/em\u003e \u003cstrong\u003estruct\u003c/strong\u003e _rvl_metadata { BYTE crypt_secret_w_attacker_pub[88]; \u003cem\u003e// same\r\nas registry value \"1TfXk\".\u003c/em\u003e BYTE crypt_secret_w_master_pub[88]; \u003cem\u003e// same as registry value \"2YEdLY\".\r\n\u003c/em\u003e BYTE file_public[32]; \u003cem\u003e// The file_public key.\u003c/em\u003e BYTE salsa20_iv[8]; \u003cem\u003e// salsa20 initialization\r\nvector.\u003c/em\u003e DWORD crc32_file_public; \u003cem\u003e// CRC32 hash of file_public.\u003c/em\u003e DWORD et; \u003cem\u003e// The encryption\r\ntype.\u003c/em\u003e DWORD spsize; \u003cem\u003e// spsize field if applicable.\u003c/em\u003e DWORD encrypted_null; \u003cem\u003e// A NULL value\r\nencrypted with salsa20.\u003c/em\u003e } metadata; \u003cem\u003e/*..SNIP..*/\u003c/em\u003e } rvl_filecrypt_struct, *prvl_filecrypt_struct;\r\nThis metadata substructure is appended to the end of every encrypted file, is used by the decrypter and by REvil to verify a\r\nfile previously was encrypted.\r\nThe Salsa20 symmetric encryption key is the SHA-3 hash of a shared key derived from the victim’s crypt_public key and\r\nthe secret of a generated key pair: file_secret.\r\nTo decrypt a file, both the victim’s crypt_secret key and the file_public key must be known:\r\nIt is possible to decrypt the crypt_secret knowing either the operators’ attacker_secret or master_secret keys and by\r\napplying the same logic described in the Data encryption subsection.\r\nIt is possible to retrieve the per file file_public key from the end of an encrypted file after validating its CRC32 hash.\r\nHaving attained both a public and a secret key from previous steps, generate a shared Curve25519 key and hash it\r\nusing SHA-3.\r\nCopy the value of the Salsa20 initialization vector from the metadata structure at the end of the file.\r\nTest decrypting the encrypted NULL double word with the SHA-3 hash as a key.\r\nDetermine the encryption type used to perform correct decryption of the file, then start decrypting accordingly.\r\nimage9 300x105\r\nBy following this scheme, the attackers are sure not to divulge their secret keys when sending decrypters to victims. On their\r\nside, attackers only have to decrypt the victim’s crypt_secret key and send back a decrypter embedding this key.\r\nPersistence mechanism\r\nPrior to version 2.1, REvil ransomware persists on the machine if the arn configuration field is set to true. It writes its path\r\nto the registry key SOFTWARE for persistence. The value name of the entry for the analyzed sample is k51299BQXH.\r\nBefore terminating execution, REvil marks its executable file for deletion during the next reboot. As a result, the persistence\r\npath will become invalid.\r\nThe persistence mechanism was removed from REvil version 2.1.\r\nProtections\r\nREvil ransomware does not implement any protections.\r\nCommunications\r\nREvil ransomware only initiates communication with its controllers when the configuration field net is set to true. In that\r\ncase, REvil extracts the controller list from the dmn configuration string and proceeds to build a custom URL in a loop for\r\neach controller before initiating communications.\r\nEach controller is preceded by the string https://, followed by a random path chosen from hard-coded values and then\r\nterminated by a random file name. The regular expression below matches all random URL paths generated by REvil\r\nransomware:\r\n\\/(wp-content|static|content|include|uploads|news|data|admin)\\/(images|pictures|image|temp|tmp|graphic|assets|pics|game)\\/([a-z]{2}){1,10}\\.(jpg|png|gif)\r\nREvil then proceeds to send a POST request containing the victim’s key stored in the registry value QaUXNv2P to the\r\ncontrollers. Afterward, the controller response is read into a buffer that subsequently is ignored and freed.\r\nAppendix\r\nAppendix 1: REvil configuration\r\nExample of a REvil configuration. We redacted most of the controllers for readability:\r\nhttps://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/\r\nPage 9 of 10\n\n{ \"pk\":\"YO9E7ouT83RseZgGnLR2DxiFRbXiteYQirOJcZOjplo=\",\r\n\"pid\":\"$2a$10$7qQ70syLvX5aslSuSa9AWurg843zRR.433XEtfk2rGURjN9e.xNz6\", \"sub\":\"3195\", \"dbg\":\r\n\u003cstrong\u003efalse\u003c/strong\u003e, \"et\":1, \"wipe\":\u003cstrong\u003efalse\u003c/strong\u003e, \"wht\":{ \"fld\":[ \"programdata\", \"perflogs\",\r\n\"application data\", \"appdata\", \"$windows.~bt\", \"system volume information\", \"windows\", \"tor browser\", \"google\",\r\n\"msocache\", \"boot\", \"windows.old\", \"$windows.~ws\", \"mozilla\", \"intel\" ], \"fls\":[ \"boot.ini\", \"ntuser.dat\",\r\n\"iconcache.db\", \"autorun.inf\", \"bootsect.bak\", \"desktop.ini\", \"thumbs.db\", \"ntuser.ini\", \"ntuser.dat.log\",\r\n\"ntldr\", \"bootfont.bin\" ], \"ext\":[ \"msp\", \"rom\", \"rtp\", \"shs\", \"mod\", \"cur\", \"msc\", \"nomedia\", \"deskthemepack\",\r\n\"diagcab\", \"diagcfg\", \"msstyles\", \"scr\", \"hta\", \"idx\", \"ics\", \"lock\", \"diagpkg\", \"icns\", \"msi\", \"themepack\",\r\n\"key\", \"bin\", \"theme\", \"bat\", \"cab\", \"nls\", \"spl\", \"icl\", \"sys\", \"drv\", \"lnk\", \"cmd\", \"adv\", \"cpl\", \"ico\",\r\n\"com\", \"exe\", \"ocx\", \"dll\", \"hlp\", \"mpa\", \"prf\", \"wpx\", \"ani\", \"msu\", \"ps1\", \"386\" ] }, \"wfld\":[ \"backup\" ],\r\n\"prc\":[ \"w3wp\", \"thunderbird\", \"mydesktopqos\", \"powerpnt\", \"outlook\", \"srv\", \"infopath\", \"msaccess\",\r\n\"ocautoupds\", \"qb\", \"core\", \"mspub\", \"store\", \"ssms\", \"dbeng50\", \"ax32\", \"sql\", \"exchange\", \"onenote\", \"ocssd\",\r\n\"sage\", \"pos\", \"word\", \"java\", \"sophos\", \"xfssvccon\", \"visio\", \"synctime\", \"oracle\", \"crm\", \"excel\", \"dbs\",\r\n\"ocomm\", \"svc$\" ],\r\n\"dmn\":\"sweering[.]fr;shiresresidential[.]com;bogdanpeptine[.]ro;ruralarcoiris[.]com;echtveilig[.]nl\", \"net\":\r\n\u003cstrong\u003efalse\u003c/strong\u003e, \"svc\":[ \"memtas\", \"crm\", \"quickbooks\", \"svc$\", \"veeam\", \"oracle\", \"mepocs\", \"exchange\",\r\n\"pos\", \"vss\", \"sql\", \"backup\", \"qb\", \"sophos\", \"sage\" ],\r\n\"nbody\":\"LQAtAC0APQA9AD0AIABXAGUAbABjAG8AbQBlAC4AIABBAGcAYQBpAG4ALgAgAD0APQA9AC0ALQAtAA0ACgANAAoAWwArAF0AIABXAGgAYQB0AHMAIABIAGEAcABwAGUA\r\n\"nname\":\"{EXT}-readme.txt\", \"exp\":\u003cstrong\u003efalse\u003c/strong\u003e,\r\n\"img\":\"QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAHIAZQ\r\n\"arn\":\u003cstrong\u003efalse\u003c/strong\u003e\r\n}\r\nAnti-virus (AV) classifications\r\nAV Alias\r\nALYac Trojan.Ransom.Sodinokibi\r\nIkarus Trojan-Ransom.Sodinokibi\r\nClamAV Win.Ransomware.Sodinokibi\r\nESET-NOD32 Win32/Filecoder.Sodinokibi\r\nFortinet W32/Sodinokibi.B!tr.ransom\r\nMalwarebytes Ransom.Sodinokibi\r\nMicrosoft Ransom:Win32/Sodinokibi\r\nRising Ransom.Sodin\r\nTrendMicro HouseCall Win32.SODINOKIB.SMTH\r\nViRobot Trojan.Win32.Z.Sodinokibi\r\nWebroot W32.Ransom.Sodinokibi\r\nSource: https://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/\r\nhttps://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/"
	],
	"report_names": [
		"revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation"
	],
	"threat_actors": [],
	"ts_created_at": 1775434729,
	"ts_updated_at": 1775791218,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3ad510618f2e23bbea51896b5aea8be197bda628.pdf",
		"text": "https://archive.orkl.eu/3ad510618f2e23bbea51896b5aea8be197bda628.txt",
		"img": "https://archive.orkl.eu/3ad510618f2e23bbea51896b5aea8be197bda628.jpg"
	}
}