Day 25: REvil Ransomware

REvil ransomware is delivered through a malicious update payload sent out to the Kaseya VSA server platform. The ransomware disables Windows Defender, copies, and renames certutil.exe to %SystemDrive%\Windows, and decrypts the agent.crt file. Threat actors copy the utility as %SystemDrive%\cert.exe and execute the malicious payload agent.exe, containing “MODLS.RE and SOFIS.RC, to avoid detection. Agent.exe drops the two resources in the windows folder and are dropped as mpsvc.dll and MsMpEng.exe. MsMPEng.exe is an older version of Microsoft’s Antimalware Service executable that is vulnerable to a DDL side-loading attack. The malicious code in the DDL file has a similar name that is required for the target executable during the DDL side-loading attack. Agent.exe drops MsMpeng.exe and mpsvc.ddl and then executes MsMpeng.exe.

The Malicious Mpsvc.dll loads and executes when MpMseng.exe runs and calls the SeviceCrtMain. REvil ransomware conduct its Cryptographic Operations using OpenSSL. Malware brings code in memory using the “CreateFileMappingW” and “MapViewOfFile” functions to create a handle to the mapping and maps the file into memory space and returns a pointer to the start of the mapped file. Memory is allocated by the malware and the main payload (PRE file) is decrypted. Some of the magic contents including 0x4D5A (MZ) and 0x5045 (PE) are removed from the header allowing the malware to evade it. Malware then decrypts and bring config file in JSON format, the ransomware makes changes in the local Firewall rule, forces the computer to boot into safe mode with networking. REvil uses Elliptic-curve Diffie-Hellman key and Salasa20 to encrypt files. The ransomware terminates the processes including email clients, SQL and other database servers, Microsoft Office programs, browsers and other tools on the infected machines and then deletes Windows shadow copies of files and backups preventing file recovery.