What is REvil/Sodinokibi Ransomware

What is REvil/Sodinokibi Software?

REvil/Sodinokibi ransomware, also known as Sodin, is a sophisticated and elusive ransomware discovered in April 2019. This malware encrypts files and cleverly deletes the ransom request message after infecting a system, leaving the victim unaware of what happened. Once the encryption process is complete, the victim receives a message demanding a Bitcoin ransom to recover their files. If the ransom is not paid promptly, the attacker threatens to double the demand, putting additional pressure on the victim.

REvil/Sodinokibi ransomware is dangerous because it can bypass traditional security measures and infiltrate systems undetected. Its stealthy approach makes it challenging to identify and prevent, making it a preferred choice for cybercriminals.

REvil is a prime example of Ransomware-as-a-Service, a type of cybercrime that involves two groups working together to conduct the hack. The first group comprises code authors who develop the ransomware, while the second group comprises affiliates who spread the malware and collect the ransom payments. This model has made Sodinokibi ransomware incredibly dangerous for companies of all sizes, as it enables cybercriminals to carry out sophisticated and large-scale attacks with minimal effort and risk.

There is a significant connection between the authors of REvil/Sodinokibi ransomware and the notorious GandCrab ransomware, which was recently retired. In fact, the authors of both ransomware families are believed to be the same. GandCrab, in particular, has been responsible for nearly 40% of all ransomware infections worldwide, making it one of the most prolific and damaging ransomware strains in recent history.

When did REvil Ransomware Start?

Sodinokibi, first discovered in 2019, has been linked to a Russian-speaking underground group and is believed to share some connections with the infamous GandCrab ransomware. The group behind Sodinokibi is thought to be the same as that responsible for GandCrab, one of the most pervasive and damaging ransomware strains of its time.

Some Notable Attacks of Sodinokibi (REvil) Ransomware

According to a forensic study conducted by cybersecurity firm Trend Micro, the Sodinokibi/REvil ransomware operation had been targeting organizations and individuals globally, with a recent concentration of attacks in Mexico, the United States, Japan, and Germany. This indicates a shift in the group’s targeting strategy, as previous attacks were more geographically dispersed.

Interestingly, the ransomware operation appeared to deliberately exclude companies based in countries belonging to the Commonwealth of Independent States (CIS).

REvil ransomware has been responsible for several notable attacks on organizations worldwide. Here are some examples:

• JBS Foods: In May 2021, the world’s largest meat processing company, JBS Foods, suffered a ransomware attack attributed to REvil. The attack temporarily shut down several plants in the U.S., Canada, and Australia.
• Kaseya: In July 2021, a supply chain attack using REvil ransomware targeted Kaseya, a software vendor that provides IT management services to thousands of companies worldwide. The attack impacted over 1,500 businesses, making it one of the most significant ransomware attacks.
• Travelex: In December 2019, REvil ransomware targeted Travelex, a global foreign exchange company, and demanded a $6 million ransom payment. The attack shut down the company’s systems for several weeks and caused significant financial losses.
• Acer: In March 2021, Taiwanese computer manufacturer Acer was hit by a REvil ransomware attack that demanded a $50 million ransom payment. While Acer did not disclose whether it paid the ransom, the attack disrupted its operations and impacted its supply chain.

Of the Sodinokibi group’s ransomware assaults, the ones that attacked JBS and Kaseya arguably caused the most widespread harm, eliciting the most determined and successful countermeasures from several countries, law enforcement agencies, and commercial IT security organizations.

How Does Revil/Sodinokibi Work?

The ransomware family Sodinokibi/REvil employs a range of attack routes to spread its attack;

• RDP assaults
• Software flaws
• Phishing and email scams

After Sodinokibi/REvil affiliates have discovered a means to install their files onto your system, they will encrypt your data and any existing backups on your network. In return, you will receive a message requesting payment in Bitcoin for your missing data.

How Does REvil/Sodinokibi Encrypt Files?

REvil/Sodinokibi downloads a.zip file containing the ransom code, written in JavaScript, goes over the affected network, and encrypts files, attaching a unique extension to them. The fact that REvil/Sodinokibi may replicate and reinstall itself as long as the original ransom code is not erased makes it more hazardous.

After the encryption is finished, the ransom message is often the first thing victim sees. The ransom instructions might be shown on the desktop as well.

The virus attempts to interact with a C2 server after encrypting the data on the target system. It constructs the URL for the C2 by iterating through a list of domains specified in the earlier decoded configuration file.

The compromised systems are operable without backups, a rollback mechanism, or other methods for recovering the encrypted data, but all essential information stored on them is unavailable.

The malware produces many URLs by combining hard-coded and randomly generated strings. The virus then transmits encrypted computer files to each domain, comprising machine languages, domain names, user names, operating system kinds, and CPU architecture.

When a victim inputs the key from the ransom note, a website reveals the amount in Bitcoin that they must pay to get their data back.

How to Protect from REvil/Sodinokibi Ransomware?

If your network is infected, the most effective strategy is to isolate the ransomware and wipe compromised devices.

Don’t try to restore affected data since the ransomware may encrypt it even more. Do not, in any case, pay the ransom. There is no assurance that you will regain access, retrieve uncorrupted data, or that exfiltrated data will not be disclosed or auctioned off in the future.

Protecting against REvil/Sodinokibi ransomware requires a multi-pronged approach that includes security awareness, email scanning, and assessments of your current cybersecurity procedures.

Train Your Staff

Training your employees to spot possible phishing schemes and defective email attachments is part of security awareness. Because phishing and email scams are the most prevalent attack vectors for ransomware offenders, including families like Sodinokibi, this should always be the first line of security for businesses.

Backup Your Data

This may appear technical, but we view it as plain sense. You should keep your data both online and offline, and you should practice reverting to backups in the event of an emergency.

Frequently Update Software Systems

Updates help you address security flaws many malware use to penetrate your systems. Because patching is a resource-intensive and time-consuming activity, the best way to protect yourself from REvil/Sodinokibi and other ransomware is to use an automatic patching solution.

Use Multi-layered Cybersecurity

A good antivirus program is crucial for any company’s cybersecurity, but we advocate using a multi-layered security approach to be as safe as possible.

What is Being Done to Stop REvil/Sodinokibi Ransomware

In July 2021, the REvil ransomware group launched a significant ransomware attack against multiple companies worldwide, including Kaseya, a software management company based in the United States. In response, the government and the tech industry took several measures to counter the REvil ransomware.

Government Response:

• The United States government, through its cybersecurity agency, the Cybersecurity and Infrastructure Security Agency (CISA), issued an emergency directive to all federal agencies to take immediate action to protect their networks from the REvil ransomware. The directive outlined several measures, including disabling the affected software, scanning all systems for indicators of compromise, and implementing multi-factor authentication.
• The government also launched an investigation into the attack, with the Federal Bureau of Investigation (FBI) leading the effort. In addition, the United States Department of Justice (DOJ) announced a new policy that prioritizes ransomware investigations and encourages victims to report ransomware incidents to law enforcement.

Tech Industry Response:

• The tech industry responded to the REvil ransomware attack by taking several measures to protect their customers from the malware. For example, Kaseya, the company directly affected by the attack, issued an urgent patch to fix the software vulnerabilities that the ransomware exploited.
• In addition, several major cybersecurity companies, including Microsoft and Sophos, worked together to disrupt the REvil ransomware by taking control of its command-and-control servers. By doing so, they prevented the ransomware from functioning properly and prevented it from infecting more systems.

How Lepide Helps Protect Against REvil/Sodinokibi Ransomware Attacks

The Lepide Data Security Platform is an intelligent ransomware protection solution that enables organizations to spot the symptoms of an attack in progress and take defensive action. The Platform does this through a combination of pre-defined threat models, threshold alerting, and real-time threat response. For example, if a large number of files are renamed in a short space of time, it could be an indication that they are being encrypted. Lepide can detect this, and execute a custom script to disable the user account responsibly.

Lepide also helps organizations reduce the risk of ransomware by reducing the threat surface. With Lepide, you can identify and clean up inactive users, open shares, and other potential misconfigurations or bad practices involving your Active Directory or data stores. This drastically reduces the potential risk and damages that a ransomware attack can do, and ensures you remain compliant.