Technical Analysis of REvil ransomware

Background

Recently, we have dealt with ransomware incidents and can restore the ransomware binary from the C:\perflogs folder in the victim machine, which is afterward executed to encrypt the entire NAS file server.

Ransomware REvil Hashes

md5: 30883080a1ece1a12dea56e56ac9b095

Static Analysis

Similarity Level

We have taken another public REvil sample (https://github.com/UIM-SEC/ransomware-samples/blob/master/revil_sodinokibi.zip and hash value: 2ca64feaaf5ab6cf96677fbc2bc0e1995b3bc93472d7af884139aa757240e3f6) for binary similarity and differing:

Binary Differing with BinDiff
Function Similarity Score
Function Block and Flow Comparison
Figure out partially unmatched function
Unmatched Function Reverse Engineering
List of Primary Unmatched Functions
Binary Differing Overview
Unmatched Function Analysis — 1
Unmatched function Analysis — 2

Feature Level

  1. Anti-Debugging
Anti-Debugging with rdtsc — 1
Anti-Debugging with rdtsc — 2
Import Table
Reverse engineered function in RC4 — KSA
Reverse engineered function in RC4 — PRGA
  1. Every cell in the table is filled with a number equal to its position. The positions of the table are numbered ​from 0 to 255.
  2. A new temporary helper variable is created and set to 0.
  3. For each element in the array the two following operations are performed (note, that the values ​are ​from 0 to 255):
  • The value of the temporary variable is updated.
  • The number in the array at the current position is swapped with the number in the array at the position determined by the temporary variable.
  1. Two helper variables p1 and p2 are created and set to 0.
  2. The variable p1 is increased by 1 and the result is modulo divided by 256.
  3. The variable p2 is increased by the value in the array T at the position determined by the temporary variable p1 (T[p1]). Then, the result is divided modulo by 256.
  4. The value in the array at position p1 is swapped with the value in the array at position p2.
  5. The value in the array at position p1 is added to the value in the array at position p2. Then, the result is modulo divided by 256 and assigned to the new helper variable p3.
  6. The value in the array at position p3 is a new keystream byte.
  7. If more keystream bytes are needed, all the steps from point II onwards should be repeated.
RC4 Algorithm
RC4 in C Vs Assembly Instruction — KSA
RC4 in C Vs Assembly Instruction — PRGA
Elliptical Curve 25519 Function — 1
Elliptical Curve 25519 Function — 2

Dynamic Analysis

We use ANY.RUN to conduct the dynamic analysis of the REvil Ransomware

Executing the REvil Sample

The ransomware sample is named as netframe.exe

The REvil Ransomware is imported to the ANY.RUN
Manually executed the sample
The document and media files are encrypted, and the background is changed
The Ransom Notes

Network Analysis

There are a few connections made during the analysis, however, it is making connections to legitimate sources like Microsoft. The sample itself does not make outbound network connections.

Processes Analysis

netframe.exe is extracted and executed manually, the process analyzer detects that it will read computer names, environment values, create files and rename files like ransomware.

process graph
netframe.exe is flagged as a dangerous process

Mitre ATT&CK Matrix

The MITRE ATT&CK™ framework is a comprehensive matrix of tactics and techniques for better classifying the attacks and assessing organizational risk.

Mitre ATT&CK Matrix of the sample
Non-REvil family ransomware exhibits more malicious activities

Conclusion

Our team has done the static and dynamic analysis of the REvil Sample. We studied the binary similarity between our sample and the published public REvil sample, and reverse engineering of our captured REvil_sodinokibi sample, getting to know the applied anti-debugging techniques and encryption algorithms.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
VXRL

VXRL

VXRL Team is founded by group of enthusiastic security researchers, providing information security services and contribute to the community. https://www.vxrl.hk