Revil

Parsing : Enabled

Description

REvil Beta
MD5: bed6fc04aeb785815744706239a1f243
SHA1: 3d0649b5f76dbbff9f86b926afbd18ae028946bf
SHA256: 3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45
* Privilege escalation via CVE-2018-8453 (64-bit only)
* Rerun with RunAs to elevate privileges
* Implements a requirement that if "exp" is set, privilege escalation must be successful for full execution to occur
* Implements target whitelisting using GetKetboardLayoutList
* Contains debug console logging functionality
* Defines the REvil registry root key as SOFTWARE\!test
* Includes two variable placeholders in the ransom note: UID & KEY
* Terminates processes specified in the "prc" configuration key prior to encryption
* Deletes shadow copies and disables recovery
* Wipes contents of folders specified in the "wfld" configuration key prior to encryption
* Encrypts all non-whitelisted files on fixed drives
* Encrypts all non-whitelisted files on network mapped drives if it is running with System-level privileges or can impersonate the security context of explorer.exe
* Partially implements a background image setting to display a basic "Image text" message
* Sends encrypted system data to a C2 domain via an HTTPS POST request (URI path building is not implemented.)
------------------------------------
REvil 1.00
MD5: 65aa793c000762174b2f86077bdafaea
SHA1: 95a21e764ad0c98ea3d034d293aee5511e7c8457
SHA256: f0c60f62ef9ffc044d0b4aeb8cc26b971236f24a2611cb1be09ff4845c3841bc
* Adds 32-bit implementation of CVE-2018-8453 exploit
* Removes console debug logging
* Changes the REvil registry root key to SOFTWARE\recfg
* Removes the System/Impersonation success requirement for encrypting network mapped drives
* Adds a "wipe" key to the configuration for optional folder wiping
* Fully implements the background image setting and leverages values defined in the "img" configuration key
* Adds an EXT variable placeholder to the ransom note to support UID, KEY, and EXT
* Implements URI path building so encrypted system data is sent to a C2 pseudo-random URL
* Fixes the function that returns the victim's username so the correct value is placed in the stats JSON data
------------------------------------
REvil 1.01
MD5: 2abff29b4d87f30f011874b6e98959e9
SHA1: 9d1b61b1cba411ee6d4664ba2561fa59cdb0732c
SHA256: a88e2857a2f3922b44247316642f08ba8665185297e3cd958bbd22a83f380feb
* Removes the exp/privilege escalation requirement for full execution and encrypts data regardless of privilege level
* Makes encryption of network mapped drives optional by adding the "-nolan" argument
------------------------------------
REvil 1.02
MD5: 4af953b20f3a1f165e7cf31d6156c035
SHA1: b859de5ffcb90e4ca8e304d81a4f81e8785bb299
SHA256: 89d80016ff4c6600e8dd8cfad1fa6912af4d21c5457b4e9866d1796939b48dc4
* Enhances whitelisting validation by adding inspection of GetUserDefaultUILanguage and GetSystemDefaultUILanguage
* Partially implements "lock file" logic by generating a lock filename based on the first four bytes of the Base64-decoded pk key, appending a .lock file extension, and adding the filename to the list of whitelisted files in the REvil configuration (It does not appear that this value is referenced after it is created and stored in memory. There is no evidence that a lock file is dropped to disk.)
* Enhances folder whitelisting logic that take special considerations if the folder is associated with "program files" directories
* Hard-codes whitelisting of all direct content within the Program Files or Program Files x86 directories
* Hard-codes whitelisting of "sql" subfolders within program files
* Encrypts program files sub-folders that does not contain "sql" in the path
* Compares other folders to the list of whitelisted folders specified in the REvil configuration to determine if they are whitelisted
* Encodes stored strings used for URI building within the binary and decodes them in memory right before use
* Introduces a REvil registry root key "sub_key" registry value containing the attacker's public key
------------------------------------
REvil 1.03
MD5: 3cae02306a95564b1fff4ea45a7dfc00
SHA1: 0ce2cae5287a64138d273007b34933362901783d
SHA256: 78fa32f179224c46ae81252c841e75ee4e80b57e6b026d0a05bb07d34ec37bbf
* Removes lock file logic that was partially implemented in 1.02
* Leverages WMI to continuously monitor for and kill newly launched processes whose names are listed in the prc configuration key (Previous versions performed this action once.)
* Encodes stored shellcode
* Adds the -path argument:
* Does not wipe folders (even if wipe == true)
* Does not set desktop background
* Does not contact the C2 server (even if net == true)
* Encrypts files in the specified folder and drops the ransom note
* Changes the REvil registry root key to SOFTWARE\QtProject\OrganizationDefaults
* Changes registry key values from --> to:
* sub_key --> pvg
* pk_key --> sxsP
* sk_key --> BDDC8
* 0_key --> f7gVD7
* rnd_ext --> Xu7Nnkd
* stat --> sMMnxpgk
------------------------------------
REvil 1.04
MD5: 6e3efb83299d800edf1624ecbc0665e7
SHA1: 0bd22f204c5373f1a22d9a02c59f69f354a2cc0d
SHA256: 2ca64feaaf5ab6cf96677fbc2bc0e1995b3bc93472d7af884139aa757240e3f6
* Leverages PowerShell and WMI to delete shadow copies if the victim's operating system is newer than Windows XP (For Windows XP or older, it uses the original command that was executed in all previous REvil versions.)
* Removes the folder wipe capability
* Changes the REvil registry root key to SOFTWARE\GitForWindows
* Changes registry key values from --> to:
* pvg --> QPM
* sxsP --> cMtS
* BDDC8 --> WGg7j
* f7gVD7 --> zbhs8h
* Xu7Nnkd --> H85TP10
* sMMnxpgk --> GCZg2PXD
------------------------------------
REvil v1.05
MD5: cfefcc2edc5c54c74b76e7d1d29e69b2
SHA1: 7423c57db390def08154b77e2b5e043d92d320c7
SHA256: e430479d1ca03a1bc5414e28f6cdbb301939c4c95547492cdbe27b0a123344ea
* Add new 'arn' configuration key that contains a boolean true/false value that controls whether or not to implement persistence.
* Implements persistence functionality via registry Run key. Data for value is set to the full path and filename of the currently running executable. The executable is never moved into any 'working directory' such as %AppData% or %TEMP% as part of the persistence setup. The Reg Value used is the hardcoded value of 'lNOWZyAWVv' :
* SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lNOWZyAWVv
* Before exiting, REvil sets up its malicious executable to be deleted upon reboot by issuing a call to MoveFileExW and setting the destination to NULL and the flags to 4 (MOVEFILE_DELAY_UNTIL_REBOOT). This breaks persistence however as the target executable specified in the Run key will no longer exist once this is done.
* Changes registry key values from --> to:
* QPM --> tgE
* cMtS --> 8K09
* WGg7j --> xMtNc
* zbhs8h --> CTgE4a
* H85TP10 --> oE5bZg0
* GCZg2PXD --> DC408Qp4
------------------------------------
REvil v1.06
MD5: 65ff37973426c09b9ff95f354e62959e
SHA1: b53bc09cfbd292af7b3609734a99d101bd24d77e
SHA256: 0e37d9d0a7441a98119eb1361a0605042c4db0e8369b54ba26e6ba08d9b62f1e
* Updated string decoding function to break existing yara rules. Likely the result of the blog posted by us.
* Modified handling of network file encryption. Now explicitly passes every possible "Scope" constant to the WNetOpenEnum function when looking for files to encrypt. It also changed the 'Resource Type" from RESOURCETYPE_DISK to RESOURCETYPE_ANY which will now include things like mapped printers.
* Persistence registry value changed from 'lNOWZyAWVv' to 'sNpEShi30R'
* Changes registry key values from --> to:
* tgE --> 73g
* 8K09 --> vTGj
* xMtNc --> Q7PZe
* CTgE4a --> BuCrIp
* oE5bZg0 --> lcZd7OY
* DC408Qp4 --> sLF86MWC
------------------------------------
REvil v1.07
MD5: ea4cae3d6d8150215a4d90593a4c30f2
SHA1: 8dcbcbefaedf5675b170af3fd44db93ad864894e
SHA256: 6a2bd52a5d68a7250d1de481dcce91a32f54824c1c540f0a040d05f757220cd3
TBD

External Analysis
https://www.zdnet.com/article/revil-ransomware-group-resurfaces-after-brief-hiatus
https://www.macrumors.com/2021/04/26/revil-delists-stolen-apple-schematics-threat
https://www.theverge.com/2021/7/22/22589643/ransomware-kaseya-vsa-decryptor-revil
http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10439388%40fsbMessage.html
https://analyst1.com/file-assets/History-of-REvil.pdf
https://angle.ankura.com/post/102hcny/revix-linux-ransomware
https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html
https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version
https://cybleinc.com/2021/07/03/uncensored-interview-with-revil-sodinokibi-ransomware-operators/
https://diicot.ro/mass-media/3341-comunicat-de-presa-2-08-11-2021
https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf
https://github.com/f0wl/REconfig-linux
https://home.treasury.gov/news/press-releases/jy0471
https://ke-la.com/will-the-revils-story-finally-be-over/
https://krebsonsecurity.com/2021/11/revil-ransom-arrest-6m-seizure-and-10m-reward/
https://malienist.medium.com/revix-linux-ransomware-d736956150d0
https://otx.alienvault.com/pulse/60da2c80aa5400db8f1561d5
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v
https://russian.rt.com/russia/article/926347-barnaulec-rozysk-fbr-kibermoshennichestvo
https://storage.courtlistener.com/recap/gov.uscourts.txnd.351760/gov.uscourts.txnd.351760.1.0_3.pdf
https://storage.courtlistener.com/recap/gov.uscourts.txnd.352371/gov.uscourts.txnd.352371.1.0_1.pdf
https://therecord.media/us-arrests-and-charges-ukrainian-man-for-kaseya-ransomware-attack/
https://threatpost.com/linux-variant-ransomware-vmwares-nas/167511/
https://threatpost.com/ransomware-revil-sites-disappears/167745/
https://twitter.com/AdamTheAnalyst/status/1409499591452639242?s=20
https://twitter.com/IntezerLabs/status/1452980772953071619
https://twitter.com/VK_Intel/status/1409601311092490248
https://twitter.com/VK_Intel/status/1409601311092490248?s=20
https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa
https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom
https://www.advintel.io/post/storm-in-safe-haven-takeaways-from-russian-authorities-takedown-of-revil
https://www.bbc.com/news/technology-59297187
https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/
https://www.br.de/nachrichten/deutschland-welt/mutmasslicher-ransomware-millionaer-identifiziert,Sn3iHgJ
https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/
https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/
https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
https://www.darkowl.com/blog-content/page-not-found-revil-darknet-services-offline-after-attack-last-weekend
https://www.darktrace.com/en/blog/staying-ahead-of-r-evils-ransomware-as-a-service-business-model/
https://www.digitalshadows.com/blog-and-research/revil-analysis-of-competing-hypotheses/
https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide
https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment
https://www.fbi.gov/wanted/cyber/yevgyeniy-igoryevich-polyanin
https://www.fincen.gov/sites/default/files/advisory/2021-11-08/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf
https://www.flashpoint-intel.com/blog/interview-with-revil-affiliated-ransomware-contractor/
https://www.flashpoint-intel.com/blog/revil-disappears-again/
https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya
https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself
https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/
https://www.secureworks.com/blog/revil-ransomware-reemerges-after-shutdown-universal-decryptor-released
https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf
https://www.youtube.com/watch?v=mDUMpYAOMOo
https://www.youtube.com/watch?v=ptbNMlWxYnE
http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10439388%40fsbMessage.html
http://www.secureworks.com/research/threat-profiles/gold-southfield
https://analyst1.com/file-assets/History-of-REvil.pdf
https://areteir.com/wp-content/uploads/2020/07/Arete_Insight_Sodino-Ransomware_June-2020.pdf
https://asec.ahnlab.com/ko/19640/
https://asec.ahnlab.com/ko/19860/
https://awakesecurity.com/blog/threat-hunting-for-revil-ransomware/
https://blag.nullteilerfrei.de/2019/11/09/api-hashing-why-and-how/
https://blag.nullteilerfrei.de/2020/02/02/defeating-sodinokibi-revil-string-obfuscation-in-ghidra/
https://blog.amossys.fr/sodinokibi-malware-analysis.html
https://blog.gigamon.com/2021/07/08/observations-and-recommendations-from-the-ongoing-revil-kaseya-incident/
https://blog.group-ib.com/REvil_RaaS
https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/
https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/
https://blog.morphisec.com/real-time-prevention-of-the-kaseya-vsa-supply-chain-revil-ransomware-attack
https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html
https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/
https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html
https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html
https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/
https://blog.truesec.com/2021/07/06/kaseya-vsa-zero-day-exploit
https://blogs.blackberry.com/en/2021/05/threat-thursday-dr-revil-ransomware-strikes-again-employs-double-extortion-tactics
https://blogs.blackberry.com/en/2021/11/revil-under-the-microscope
https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus
https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://community.riskiq.com/article/3315064b
https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf
https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version
https://cybleinc.com/2021/07/03/uncensored-interview-with-revil-sodinokibi-ransomware-operators/
https://diicot.ro/mass-media/3341-comunicat-de-presa-2-08-11-2021
https://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf
https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf
https://drive.google.com/file/d/1ph1E0onZ7TiNyG87k4WjofCKNuCafMLk/view
https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Ransomware_in_ICS_Environments_Whitepaper_10_12_20.pdf
https://f.hubspotusercontent10.net/hubfs/7095517/FLINT-Kaseya-Another%20Massive%20Heist%20by%20REvil.pdf
https://gist.githubusercontent.com/fwosar/a63e1249bfccb8395b961d3d780c0354/raw/312b2bbc566cbee2dac7b143dc143c1913ddb729/revil.json
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://hatching.io/blog/ransomware-part2
https://home.treasury.gov/news/press-releases/jy0471
https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf
https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf
https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89
https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf
https://intel471.com/blog/changes-in-revil-ransomware-version-2-2
https://isc.sans.edu/diary/27012
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf
https://kaseya.app.box.com/s/0ysvgss7w48nxh8k1xt7fqhbcjxhas40
https://ke-la.com/darknet-threat-actors-are-not-playing-games-with-the-gaming-industry/
https://ke-la.com/easy-way-in-5-ransomware-victims-had-their-pulse-secure-vpn-credentials-leaked/
https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/
https://ke-la.com/ransomware-gangs-are-starting-to-look-like-oceans-11/
https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/
https://ke-la.com/will-the-revils-story-finally-be-over/
https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/
https://krebsonsecurity.com/2019/07/is-revil-the-new-gandcrab-ransomware/
https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/
https://krebsonsecurity.com/2021/11/revil-ransom-arrest-6m-seizure-and-10m-reward/
https://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80
https://medium.com/s2wlab/deep-analysis-of-revil-ransomware-written-in-korean-d1899c0e9317
https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f
https://news.sophos.com/en-us/2021/06/11/relentless-revil-revealed/
https://news.sophos.com/en-us/2021/06/30/mtr-in-real-time-hand-to-hand-combat-with-revil-ransomware-chasing-a-2-5-million-pay-day/
https://news.sophos.com/en-us/2021/06/30/what-to-expect-when-youve-been-hit-with-revil-ransomware/
https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses
https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/
https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/
https://public.intel471.com/blog/revil-ransomware-interview-russian-osint-100-million/
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v
https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2022-05-01-revil-reborn-ransom.vk.cfg.txt
https://redcanary.com/blog/uncompromised-kaseya/
https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/
https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf
https://russian.rt.com/russia/article/926347-barnaulec-rozysk-fbr-kibermoshennichestvo
https://searchsecurity.techtarget.com/feature/Ransomware-negotiations-An-inside-look-at-the-process
https://securelist.com/ransomware-world-in-2021/102169/
https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/
https://securelist.com/sodin-ransomware/91473/
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/
https://securityaffairs.co/wordpress/98694/malware/sodinokibi-kenneth-cole-data-breach.html
https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/
https://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/
https://securityscorecard.com/research/a-detailed-analysis-of-the-last-version-of-revil-ransomware
https://sites.temple.edu/care/ci-rw-attacks/
https://storage.courtlistener.com/recap/gov.uscourts.txnd.351760/gov.uscourts.txnd.351760.1.0_3.pdf
https://storage.courtlistener.com/recap/gov.uscourts.txnd.352371/gov.uscourts.txnd.352371.1.0_1.pdf
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/kaseya-ransomware-supply-chain
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos
https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf
https://teamt5.org/en/posts/introducing-the-most-profitable-ransomware-revil/
https://teamt5.org/tw/posts/revil-dll-sideloading-technique-used-by-other-hackers/
https://tehtris.com/fr/peut-on-neutraliser-un-ransomware-lance-en-tant-que-system-sur-des-milliers-de-machines-en-meme-temps/
https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
https://thehackernews.com/2022/03/ukrainian-hacker-linked-to-revil.html
https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/
https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/
https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/
https://therecord.media/i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown/
https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/
https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/
https://therecord.media/us-arrests-and-charges-ukrainian-man-for-kaseya-ransomware-attack/
https://threatintel.blog/OPBlueRaven-Part1/
https://threatpost.com/ransomware-revil-sites-disappears/167745/
https://twitter.com/AdamTheAnalyst/status/1409499591452639242?s=20
https://twitter.com/Jacob_Pimental/status/1391055792774729728
https://twitter.com/Jacob_Pimental/status/1398356030489251842?s=20
https://twitter.com/LloydLabs/status/1411098844209819648
https://twitter.com/R3MRUM/status/1412064882623713283
https://twitter.com/SophosLabs/status/1412056467201462276
https://twitter.com/SophosLabs/status/1413616952313004040?s=20
https://twitter.com/SyscallE/status/1411074271875670022
https://twitter.com/VK_Intel/status/1374571480370061312?s=20
https://twitter.com/VK_Intel/status/1411066870350942213
https://twitter.com/_alex_il_/status/1412403420217159694
https://twitter.com/fwosar/status/1411281334870368260
https://twitter.com/fwosar/status/1420119812815138824
https://twitter.com/resecurity_com/status/1412662343796813827
https://twitter.com/svch0st/status/1411537562380816384
https://unit42.paloaltonetworks.com/prometheus-ransomware/
https://unit42.paloaltonetworks.com/revil-threat-actors/
https://unit42.paloaltonetworks.com/threat-brief-kaseya-vsa-ransomware-attacks/
https://us-cert.cisa.gov/ncas/alerts/aa20-345a
https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa
https://velzart.nl/blog/ransomeware/
https://vimeo.com/449849549
https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/
https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion
https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom
https://www.acronis.com/en-sg/articles/sodinokibi-ransomware/
https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities
https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs
https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights
https://www.advanced-intel.com/post/revil-vanishes-from-underground-infrastructure-down-support-staff-adverts-silent
https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel
https://www.advintel.io/post/storm-in-safe-haven-takeaways-from-russian-authorities-takedown-of-revil
https://www.appgate.com/blog/electric-company-ransomware-attack-calls-for-14-million-in-ransom
https://www.bankinfosecurity.com/interviews/ransomware-files-episode-6-kaseya-revil-i-5045
https://www.bbc.com/news/technology-59297187
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf
https://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/
https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/
https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/
https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/
https://www.bleepingcomputer.com/news/security/fbi-revil-cybergang-behind-the-jbs-ransomware-attack/
https://www.bleepingcomputer.com/news/security/kaseya-obtains-universal-decryptor-for-revil-ransomware-victims/
https://www.bleepingcomputer.com/news/security/kaseyas-universal-revil-decryption-key-leaked-on-a-hacking-forum/
https://www.bleepingcomputer.com/news/security/new-jersey-synagogue-suffers-sodinokibi-ransomware-attack/
https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/
https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/
https://www.bleepingcomputer.com/news/security/revil-gang-tries-to-extort-apple-threatens-to-sell-stolen-blueprints/
https://www.bleepingcomputer.com/news/security/revil-ransomware-devs-added-a-backdoor-to-cheat-affiliates/
https://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/
https://www.bleepingcomputer.com/news/security/revil-ransomware-gangs-web-sites-mysteriously-shut-down/
https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/
https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-1-000-plus-companies-in-msp-supply-chain-attack/
https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-managedcom-hosting-provider-500k-ransom/
https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/
https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/
https://www.bleepingcomputer.com/news/security/revil-ransomwares-servers-mysteriously-come-back-online/
https://www.bleepingcomputer.com/news/security/revils-tor-sites-come-alive-to-redirect-to-new-ransomware-operation/
https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-new-york-airport-systems/
https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/
https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-may-tip-nasdaq-on-attacks-to-hurt-stock-prices/
https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/
https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-says-travelex-will-pay-one-way-or-another/
https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-threatens-to-publish-data-of-automotive-group/
https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/
https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/
https://www.boll.ch/datasheets/WG_Threat_Report_EN.pdf
https://www.br.de/nachrichten/deutschland-welt/mutmasslicher-ransomware-millionaer-identifiziert,Sn3iHgJ
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2
https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf
https://www.certego.net/en/news/malware-tales-sodinokibi/
https://www.cnbc.com/2021/04/23/axis-of-revil-inside-the-hacker-collective-taunting-apple.html
https://www.connectwise.com/resources/revil-profile
https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/
https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/
https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout
https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/
https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/
https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/
https://www.crowdstrike.com/blog/how-crowdstrike-stops-revil-ransomware-from-kaseya-attack/
https://www.crowdstrike.com/blog/how-falcon-complete-thwarted-a-revil-ransomware-attack/
https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/
https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/
https://www.cybereason.com/blog/cybereason-vs-revil-ransomware-the-kaseya-chronicles
https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/
https://www.cyjax.com/2021/07/09/revilevolution/
https://www.darkowl.com/blog-content/page-not-found-revil-darknet-services-offline-after-attack-last-weekend
https://www.darktrace.com/en/blog/staying-ahead-of-r-evils-ransomware-as-a-service-business-model/
https://www.databreaches.net/a-former-darkside-listing-shows-up-on-revils-leak-site/
https://www.digitalshadows.com/blog-and-research/competitions-on-russian-language-cybercriminal-forums-sharing-expertise-or-threat-actor-showboating/
https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/
https://www.digitalshadows.com/blog-and-research/revil-analysis-of-competing-hypotheses/
https://www.documentcloud.org/documents/21505031-hgsac-staff-report-americas-data-held-hostage-032422
https://www.domaintools.com/resources/blog/revealing-revil-ransomware-with-domaintools-and-maltego
https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide
https://www.elastic.co/blog/elastic-security-prevents-100-percent-of-revil-ransomware-samples?utm_content=&utm_medium=social&utm_source=twitter
https://www.elastic.co/blog/ransomware-interrupted-sodinokibi-and-the-supply-chain
https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment
https://www.europol.europa.eu/newsroom/news/five-affiliates-to-sodinokibi/revil-unplugged
https://www.fbi.gov/wanted/cyber/yevgyeniy-igoryevich-polyanin
https://www.fincen.gov/sites/default/files/advisory/2021-11-08/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf
https://www.flashpoint-intel.com/blog/chatter-indicates-blackmatter-as-revil-successor/
https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/
https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/
https://www.flashpoint-intel.com/blog/interview-with-revil-affiliated-ransomware-contractor/
https://www.flashpoint-intel.com/blog/possible-universal-revil-master-key-posted-to-xss/
https://www.flashpoint-intel.com/blog/revil-disappears-again/
https://www.flashpoint-intel.com/blog/revils-cryptobackdoor-con-ransomware-groups-tactics-roil-affiliates-sparking-a-fallout/
https://www.goggleheadedhacker.com/blog/post/reversing-crypto-functions
https://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis
https://www.grahamcluley.com/travelex-paid-ransom/
https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/
https://www.hsgac.senate.gov/media/minority-media/new-portman-report-demonstrates-threat-ransomware-presents-to-the-united-states
https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox
https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling
https://www.huntress.com/blog/security-researchers-hunt-to-discover-origins-of-the-kaseya-vsa-mass-ransomware-incident
https://www.ironnet.com/blog/ransomware-graphic-blog
https://www.justice.gov/opa/pr/sodinokibirevil-ransomware-defendant-extradited-united-states-and-arraigned-texas
https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya
https://www.kaseya.com/potential-attack-on-kaseya-vsa/
https://www.kpn.com/security-blogs/Tracking-REvil.htm
https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/
https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself
https://www.netskope.com/blog/netskope-threat-coverage-revil
https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf
https://www.pandasecurity.com/emailhtml/2007-CAM-RANSOMWARE-AD360-WG/2006-Report-Sodinokibi-EN.pdf
https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html
https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/
https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/
https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/
https://www.secureworks.com/blog/revil-development-adds-confidence-about-gold-southfield-reemergence?linkId=164334801
https://www.secureworks.com/blog/revil-ransomware-reemerges-after-shutdown-universal-decryptor-released
https://www.secureworks.com/blog/revil-the-gandcrab-connection
https://www.secureworks.com/research/lv-ransomware
https://www.secureworks.com/research/revil-sodinokibi-ransomware
https://www.secureworks.com/research/threat-profiles/gold-southfield
https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html
https://www.splunk.com/en_us/blog/security/kaseya-sera-what-revil-shall-encrypt-shall-encrypt.html
https://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html
https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf
https://www.tgsoft.it/english/news_archivio_eng.asp?id=1004
https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html
https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html
https://www.trendmicro.com/en_us/research/21/a/sodinokibi-ransomware.html
https://www.trendmicro.com/en_us/research/21/h/supply-chain-attacks-from-a-managed-detection-and-response-persp.html
https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/undressing-the-revil/
https://www.washingtonpost.com/national-security/ransomware-fbi-revil-decryption-key/2021/09/21/4a9417d0-f15f-11eb-a452-4da5fe48582d_story.html
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://www.youtube.com/watch?v=LUxOcpIRxmg
https://www.youtube.com/watch?v=P8o6GItci5w
https://www.youtube.com/watch?v=QYQQUUpU04s
https://www.youtube.com/watch?v=l2P5CMH9TE0
https://www.youtube.com/watch?v=tZVFMVm5GAk
https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/
https://www.zdnet.com/article/revil-ransomware-gang-launches-auction-site-to-sell-stolen-data/
https://www.zscaler.com/blogs/security-research/kaseya-supply-chain-ransomware-attack-technical-analysis-revil-payload
Urls
Screen
http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/
Screen
http://blogxxu75w63ujqarv476otld7cyjkq4yoswzt4ijadkjwvg3vrvd5yd.onion/Blog
Screen
File servers
Screen
http://2wub3njb7zvmnn6xohbuizjcbvy4w5dvlb4puesry3rrl6gx4452ezid.onion
http://54xj22qsftuzs6bhcistgz27reblgijdjggkgb3fdhfgl3ghkmzk7dad.onion
http://65x5syrn4gmgfnicrhyfwkokw5x3xipxer2z4vhhckrh756v6m5272qd.onion
http://fsgwyl2xd2h5s43er7epr6vuqu5eddmmtgp6cq7khmkoe3ba4d37w7ad.onion
http://rrjwr4jsju3nuwjz77hbcquiuq5hc3oc7yxlgi5rxeazehf7mlkzcvid.onion
http://ttn4gqpgvyy6tuezexxhwiukmm2t6zzawj6p3w3jprve36f43zxr24qd.onion
Chat servers
Screen
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/
Screen
http://landxxeaf2hoyl2jvcwuazypt6imcsbmhb7kx3x33yhparvtmkatpaad.onion/

Posts

Date Title Description Screen
2022-11-29
kusd.edu
2022-11-28
Sunknowledge Services Inc
2022-11-07
medibank.com.au
2022-09-01
Midea Group
2022-08-18
Asfaltproductienijmegen
2022-08-18
CYMZ
2022-08-18
Visotec Group www.visotec.com
2022-08-18
Stratford University
2022-08-18
www.oil-india.com
2022-08-18
Unicity International
2022-08-18
Ludwig Freytag Group
2022-08-18
Doosan Group
2022-08-18
OptiProERP is a leading global provider of industry-specific ERP solutions for manufacture
2021-10-15
PTT Exploration and Production - 720GB
2021-10-08
ECKERD PERU S.A, INKAFARMA, MIFARMA
2021-10-07
Join us on RAMP
2021-10-01
Ronmor Holdings
2021-09-30
Fimmick CRM Hong Kong (www.fimmick.com)
2021-09-30
Fimmick CRM Honk Kong (www.fimmick.com)
2021-09-16
Spiezle Architectural Group Inc.
2021-09-11
ohiograting.com
2021-09-09
Apex America
2021-09-09
Allen, Dyer, Doppelt, & Gilchrist, P.A.
2021-09-09
Betenbough Homes
2021-09-09
CEC Vibration Products
2021-09-09
ENPOL LLC
2021-09-09
Iaffaldano, Shaw & Young LLP
2021-09-09
angstrom automotive group
2021-09-09
Agile Property Holdings
2021-09-09
Möbelstadt Sommerlad
2021-09-09
Gosiger
2021-09-09
neroindustry.com
2021-09-09
kuk.de / KREBS + KIEFER / 500GB
2021-09-09
KASEYA ATTACK INFO
2021-09-09
Daylesford - BHoldings - Bamford - The Wild Rabbit
2021-09-09
Hx5, LLC
2021-09-09
inocean.no / 2000 GB
2021-09-09
Primo Water
2021-09-09
lstaff.com / atworksprofessional / atworks.com
2021-09-09
South Carolina Legal Services breach
2021-09-09
ensingerplastics.com