Technical Analysis of REvil ransomware

Background

Ransomware REvil Hashes

Static Analysis

Similarity Level

Binary Differing with BinDiff
Function Similarity Score
Function Block and Flow Comparison
Figure out partially unmatched function
Unmatched Function Reverse Engineering
List of Primary Unmatched Functions
Binary Differing Overview
Unmatched Function Analysis — 1
Unmatched function Analysis — 2

Feature Level

  1. Anti-Debugging
Anti-Debugging with rdtsc — 1
Anti-Debugging with rdtsc — 2
Import Table
Reverse engineered function in RC4 — KSA
Reverse engineered function in RC4 — PRGA
  1. Every cell in the table is filled with a number equal to its position. The positions of the table are numbered ​from 0 to 255.
  2. A new temporary helper variable is created and set to 0.
  3. For each element in the array the two following operations are performed (note, that the values ​are ​from 0 to 255):
  • The value of the temporary variable is updated.
  • The number in the array at the current position is swapped with the number in the array at the position determined by the temporary variable.
  1. Two helper variables p1 and p2 are created and set to 0.
  2. The variable p1 is increased by 1 and the result is modulo divided by 256.
  3. The variable p2 is increased by the value in the array T at the position determined by the temporary variable p1 (T[p1]). Then, the result is divided modulo by 256.
  4. The value in the array at position p1 is swapped with the value in the array at position p2.
  5. The value in the array at position p1 is added to the value in the array at position p2. Then, the result is modulo divided by 256 and assigned to the new helper variable p3.
  6. The value in the array at position p3 is a new keystream byte.
  7. If more keystream bytes are needed, all the steps from point II onwards should be repeated.
RC4 Algorithm
RC4 in C Vs Assembly Instruction — KSA
RC4 in C Vs Assembly Instruction — PRGA
Elliptical Curve 25519 Function — 1
Elliptical Curve 25519 Function — 2

Dynamic Analysis

Executing the REvil Sample

The REvil Ransomware is imported to the ANY.RUN
Manually executed the sample
The document and media files are encrypted, and the background is changed
The Ransom Notes

Network Analysis

Processes Analysis

process graph
netframe.exe is flagged as a dangerous process

Mitre ATT&CK Matrix

Mitre ATT&CK Matrix of the sample
Non-REvil family ransomware exhibits more malicious activities

Conclusion

--

--

--

VXRL Team is founded by group of enthusiastic security researchers, providing information security services and contribute to the community. https://www.vxrl.hk

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} 单机游戏 - 单机斗地主全民疯狂游戏 Hack Free Resources Generator

Certified Cyber Security Professional™

How to Protect Your Identity Post Equifax Breach

{UPDATE} Mimesis - memory challenge Hack Free Resources Generator

How you can prevent a ransomware attack

WOOF Weekly Pupdate 05/01–05/07

DMARC: The Only 3 Tags You Really Need

Deception — Misunderstood Realities

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
VXRL

VXRL

VXRL Team is founded by group of enthusiastic security researchers, providing information security services and contribute to the community. https://www.vxrl.hk

More from Medium

Cyber Threat Predictions: How to Cut Through the Noise

What is the difference between a STIX Domain and STIX Cyber-Observable Objects?

What is Cyber Threat Intelligence

Getting Started with Cyber Risk Management