David Morán Jun 14, 2021 6 min read

Updates to REvil ransomware

The REvil (Sodinokibi) ransomware has been the subject of several news articles related to cybersecurity in recent months. For example, one of the most notorious was the infection suffered by Acer, with a ransom of 50 million dollars that rose to 100 million when the demands of the cybercriminals were not met.

Introduction

Recently, the Taiwanese company "Quanta Computer" - Apple's official supplier - has also been affected by this ransomware-as-a-service (RaaS), demanding the same amount of money that they had asked from Acer at the time.

Like all products, and malware of this type, it receives updates to better pursue its purposes. In this case, we are presenting a new variant whose way of operating was discovered in March, and which allows Windows to be configured to auto-login in Safe Mode.

REvil

REvil emerged around 2019, and is one of the most talked about RaaS in recent months. As is often the case, the final deployment of the ransomware is accompanied by preliminary steps in which various components are used to configure persistence pathways on the computer, as well as reconnaissance, privilege escalation or lateral movements. For example, IcedID (bokbot, IceID) is a trojan commonly used to schedule persistence by scheduling tasks in the operating system, prior to the execution of REvil.

Once REvil compromises the system, the note that we see in the following image or a similar one is displayed. At that point, the system is already infected by the malware.

revelock-malware-revil-01

REvil hijack note

Updates

Booting in Safe Mode is a resource that can be used to bypass traditional antivirus scanning, and it's nothing new. For example, the Snatch ransomware already used it. In that case, the malware added the Windows registry key HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SuperBackupMan:Default:Service, and used the bcdedit.exe tool, available through the command console, to boot in Safe Mode.

The version of REvil that incorporates this feature allows it to be run with the -s mode flag to restart the computer in Safe Mode, but it will also modify entries in the Windows registry corresponding to Winlogon, to automatically log in with the credentials used by the malware. Specifically, we will see changes in the values: AutoAdminLogon, DefaultUserName, DefaultPassword. The latter has been given the curious and not so inconspicuous value of “DTrump4ever”.

revelock-malware-revil-02Windows registry entry with default password DTrump4ever

The ability to automate encryption via Safe Mode startup (-smode) to bypass security controls was already present in this malware, but what makes this new version possible is a refinement of the existing version, enabling auto-login by means of changing credentials. In this way, it seeks to go unnoticed by the user.

However, this does not happen in all cases. As discussed in a recent report by The DFIR Report, the ransomware does not always run with the -smode flag and instead runs a DLL to encrypt the system without requiring a reboot in Safe Mode. This will depend on how the malware load has been implemented, but in any case it is interesting to know that new samples may have this feature implemented.

 

Conclusions

Apart from the updates that are typical of any malware and that try to circumvent the detection and monitoring mechanisms, the updates in the operation of ransomware are generally aimed at reducing encryption time and also incorporating features such as the current one to decide whether the encryption will be done without requiring the startup in Safe Mode or if, on the contrary, the computer will be forced to restart, circumventing security solutions to the extent possible.

This also is aimed at minimizing any possible interaction with the user by establishing a default password. The development of malware is taking a turn in which its way of operating is prepared for multiple scenarios in which the form of deployment will be decided at the last minute.

In any case, in the laboratory tests carried out, the startup in Safe Mode is noticeable if the user is aware of the restart as well as of the computer's usual behavior. As in other cases, it is essential to mitigate the effect of this type of attack, being familiar with how it operates and its possibilities, in addition to eliminating the assumption held by many that booting in Safe Mode is, indeed, safe.

avatar

David Morán

David has more than 15 years’ experience in cybersecurity, systems and development, starting out in an extinct hacking team known as Badchecksum. He collaborated on Defcon 19 with the Painsec security team. He is versed in scalable environments thanks to his work at the Tuenti social network with a traffic load of over 12Gbps. He has been involved with buguroo almost since the outset and has taken part in all the tools developed by the company, including source code analysers, malware analysis, cyber intelligence, etc. He also has in-depth knowledge of the Linux kernel, having developed LKMs that acted as rootkits as well as malware for Windows environments. He is currently the head of Revelock’s development team, managing task distribution and negotiating with the Head of Technology.