REvil Ransomware Malware Analysis

Hey all, Today I will be talking about REvil Ransomware. The REvil (also known as Sodinokibi) is a Ransomware-as-a-Service (RaaS) program (RaaS). REvil’s first attack, in mid-April 2019, drew a lot of attention from the cyber security community because it shared many similarities with GandCrab Ransomware, including exploit kits, scanning, and exploiting various vulnerable softwares (Oracle WebLogic), RDP servers, and backdoored software installers.

The makers of REvil say that by infecting people who control significant enterprises, they have gained more than $100 million in a year. If the ransom money is not paid, the attackers may reveal the stolen data from the victim’s internal network on their blog post.

REvil can perform the following tasks. Most of these capabilities are configurable, which allows an attacker to fine-tune the payload.

· Exploit the CVE-2018–8453 vulnerability to elevate privileges

· Terminate blacklisted processes prior to encryption to eliminate resource conflicts

· Wipe the contents of blacklisted folders

· Encrypt non-whitelisted files and folders on local storage devices and network shares

· Exfiltrate basic host information

Technical Analysis

String Encryption

REvil Ransomware hides String data using RC4 encryption method in order to execute itself and circumvent key security solutions such as Anti-Virus and EDR. We were able to decode the String data obfuscated by Ransomware authors throughout our study, as seen in the figure below.

The configuration data read by Ransomware is kept in a specific part of the malware binary called.cfg with decryption key, and it is a JSON file (pDisBT7geGwku4wBPM2Buiq3TrmvBums).

It returns a huge JSON data to a variable for additional processing after the RC4 decryption. For readability, I’ve included a condensed version of the setup below.

· Full version of REvil Config Data in JSON format:

· Python script to extract and parse the configuration file from the Ransomware :

REvil configuration keys and definitions:

In the full version of JSON Config Data from REvil, Ransom file (README) can be seen in Base64 format, and we were able to decode this string as seen in the image below.

Import Table

Dynamic Import Address Table (IAT)

The IAT for anti-analysis technology is manually loaded by REvil Ransomware. This is accomplished by looping over a list of DWORDs and inserting the function address into the Import Table. To get around this, run the Ransomware binary in x32dbg and use Scylla to dump the memory following the call to the IAT population function. Can be found in the “4-Unpack REvil” section.

Command Line Arguments

REvil Ransomware’s most recent version includes command-line arguments that influence many parts of the infection process

Generate Encryption Keys

REvil stores session encryption keys in the host’s registry. Registry key and value pairs generated within either the HKLM or HKCU. The newest REvil Ransomware sample hide this values inside :


Registry key and values created by REvil, encrypted stat JSON data structure with the same algorithm used to encrypt the session private key stored to the registry.

REvil profiles the compromised host by collecting the following information:

§ Current username

§ Hostname

§ Workgroup/domain name

§ Locale

§ Russian keyboard layout (Boolean)

§ Operating system product name

§ Fixed drive details

§ CPU architecture

REvil Ransomware converts the information into a “stat” JSON data structure and adds additional keys associated with the Ransomware itself then sends it to the C2 server.

Language Checks

The first thing REvil Ransomware does when it has been executed is to determine the system’s user language and the user’s keyboard layout. The GetUserDefaultUILanguage and GetSystemDefaultUILanguage Windows APIs are used to obtain the language code, which is then tested against a list of hardcoded values. If the system language is the same as the one shown in the image below, the software will leave, and the encryption process will be terminated.

The following is a list of languages that are not encrypted because they are whitelisted.

Unpack REvil Ransomware

During my investigation, I discovered that REvil Ransomware may conceal Windows APIs (Import tables) for evasion purposes, and that this strategy can evade major antivirus and anti-malware software. By analyzing REvil Ransomware and putting breakpoints on kernel32.dll.VerifyVersionInfoW> and kernel32.dll.CloseHandle>, we were able to get around this anti-analysis approach. When the debugger reaches a breakpoint on kernel32.dll.CloseHandle>, the Import Table is pushed to the top of the stack, allowing us to examine the Windows APIs utilized by REvil Ransomware, providing us with valuable insight into the malware’s activity.

· Full list of Import Table after Unpacking :

WinHttpSendRequest() ,used to make connections with Command and Control ,this API function was not visible before it was unpacked.

Ransom Note

The ransom message is stored as a Base64 encoded text in the nobody field of REvil’s configuration file. An example of a note is as follows:

The wallpaper has been updated by REvil.

The note containing instructions for ransom payment:

Decryption Website

The ransom message asks the victim to decrypt their data using a unique URL. The URL redirects to an attacker-controlled website that shows the form seen in the image. Victims must enter the ransom note’s key and extension name. The ransom note specifies a key that is the Base64-encoded version of the registry’s encrypted stat data.

We’ve reached the conclusion of today’s session. I hope you enjoy reading it as much as I liked writing it. Now that you’ve been exposed to this technology, you may utilize your newfound knowledge to begin learning more about it.

“When solving problems, dig at the roots instead of just hacking at the leaves.”

Stay home, stay safe!

Written by Osuni Abeywickrama — 2nd Year 2nd Semester -Cyber Security Student-SLIIT




First they begin with Us..

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Cyber Security News — Past 24 hours | 29.04.2021

What are the Top 7 Web 3.0 Features? 2022

Network Tunneling: The Not-So-Great-Escape (Part 2)

Hacking Trivia — NMAP script

Hacker targets OpenSea Discord, warning members of phishing scams

Hacker targets OpenSea Discord, warning members of phishing scams

What is Ransomware?

5 Endpoint Security Tips

・Insurance pool creation

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


First they begin with Us..

More from Medium

One Earth Project Overview

CyberDefenders — Malware Traffic Analysis Series (1)

Malware Analysis: Utntweep

Creating a +2 in Possession (Part 3)