Scribd Logo
Upload

Welcome to Scribd!

  • 1 views

    Threat Advisory Brief_IteshNathoo

    Uploaded by

    rahul1121838

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd

    Threat Advisory Brief_IteshNathoo

    Uploaded by

    rahul1121838
    1 views9 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Download as pptx, pdf, or txt
    1 views9 pages

    Threat Advisory Brief_IteshNathoo

    Uploaded by

    rahul1121838

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Download as pptx, pdf, or txt
    of 9

    Threat Intelligence Brief

    REvil Ransomware
    April 2019 ITW

    Presented by: Itesh Nathoo


    #101398060
    Summary of Analysis
    • REvil ransomware is a file-blocking virus considered a serious threat that encrypts
    files after infection and discards a ransom request message.
    • Observed propagating itself by exploiting a vulnerability in Oracle’s WebLogic
    server.
    • REvil is also called a Ransomware-as-a-Service (RaaS). Ransomware-as-a-Service
    is where a group of people maintain the code and another group, known as
    affiliates, spread the ransomware.
    • Such a RaaS model allows affiliates to distribute REvil ransomware in any way
    they want, such as mass-spread attacks using exploit-kits and phishing campaigns,
    where other affiliates adopt a more targeted approach by uploading tools and
    scripts to gain more rights and execute the ransomware in the internal network of a
    victim or brute-forcing RDP access.
    Threat Characteristics
    • The malware exploits vulnerabilities to escalate its
    privileges to the system.
    • Some extensions files and folders are on whitelists from
    the encryption process.
    • ext — Whitelisted file extensions
    • fld — Whitelisted folder name values
    • fls — Explicit whitelisted filenames
    • The ransomware encrypts files locally and on network
    storage.
    • It can also exfiltrate data on distant controllers.
    Threat Dependencies
    • REvil verifies that there are no other instances of
    itself running on the host by attempting to create a
    mutex using a hard-coded value as its name (e.g.,
    C19C0A84-FA11-3F9C-C3BC-0BCB16922ABF).
    • If mutex creation is successful, REvil queries the
    "exp" key within its configuration and attempts to
    elevate privileges using an LPE exploit if this key
    is enabled.
    • REvil executes either 32-bit or 64-bit shellcode
    depending on the host's architecture.
    Behavioral and Code analysis
    • After getting onto the victim’s device, it encrypts
    their files with a key that only the hackers have.
    • REvil and its affiliates have been attacking high-
    profile targets and getting away with significant
    ransoms. Some of their most significant targets
    included:
    • JBS (a major US meat producer that wound up
    paying an $11 million USD ransom)
    • Kaseya (a major business service provider whose
    attack affected thousands of companies)
    Technical Details
    • Hackers use tools and techniques to map the network, gain access to
    other internal systems, obtain domain administrator privileges, and
    deploy ransomware on all computers to maximize their impact.
    • The ransomware is distributed through phishing emails and kills
    processes on the infected machines, like email and other database
    servers, Microsoft Office programs, browsers, and tools that keep
    important files backed up.
    • Deletes Windows copies of files and other backups to prevent file
    recovery.
    • REvil ransomware stands apart from other types of ransomware
    programs through its use of the Elliptic-Curve Diffie-Hellman key
    exchange.
    Important MITRE ATT&CK Techniques
    • User Execution - Initially the ransomware executes when the user
    clicks on a JavaScript file included in the phishing emails .zip
    attachment
    • Access Token Manipulation - REvil can obtain the token from the
    user that launched the explorer.exe process to avoid affecting the
    desktop of the SYSTEM user
    • Command and Scripting Interpreter – Using PowerShell, REvil has
    used PowerShell to delete volume shadow copies and download files
    • Data Encrypted for Impact - It can encrypt files on victim systems
    and demands a ransom to decrypt the files
    • Service Stop - REvil searches for all processes listed in the prc field
    within its configuration file and then terminates each process
    Incident Recommendations
    • To protect your organization against REvil
    make sure your defense is layered.
    • The actors either buy, brute-force or spear-
    phish themselves into your company or use a
    trusted third party that has access to your
    network.
    • For organizations to protect themselves
    include employing sandboxing, backing up
    data, educating users, and restricting access.

    You might also like