Day 25: REvil Ransomware

Common Attack Vectors

  • Remote Desktop Protocol
  • Phishing Email
  • VPN devices
  • Elliptic curve cryptography (ECC)

Vulnerabilities Exploited

  • Software and Hardware
  • Win32k Elevation of Privilege Vulnerability (CVE-2018-8453)
  • Oracle WebLogic Vulnerabilities
  • Kaseya VSA zero-day vulnerability (CVE-2021-30116)

Industries Targeted Frequently


Threat actors target manufacturing facilities to disrupt product distribution.


Threat actors target healthcare industries to steal patients' names, financial records, social security numbers, and other personal information.


Threat actors target legal companies and law firms, stealing their clients' confidential information.

Critical Infrastructure

Threat actors target critical infrastructure, impacting businesses that provide services to consumers and other organizations.


Threat actors target enterprises, stealing sensitive data, encrypting network files and demanding ransoms.

Recent Activity

REvil ransomware targeted unpatched Pulse Secure VPN servers to gain access and disable antivirus.

REvil ransomware targeted numerous companies using Kaseya VSA remote management software and locked down millions of devices.

Administrador de Infraestructuras Ferroviarias (ADIF), Spain’s state-owned railway infrastructure management body, was breached by the REvil ransomware

US wine and spirits giant Brown-Forman, maker of Jack Daniel’s, suffer a REvil ransomware breach that stole and encrypted 1TB of data.

Common File Extensions

Random 5-8 characters extension

Known Aliases

  • Sodinokibi
  • Sodin

How REvil Ransomware is Distributed

REvil ransomware is delivered through a malicious update payload sent out to the Kaseya VSA server platform. The ransomware disables Windows Defender, copies, and renames certutil.exe to %SystemDrive%\Windows, and decrypts the agent.crt file. Threat actors copy the utility as %SystemDrive%\cert.exe and execute the malicious payload agent.exe, containing “MODLS.RE and SOFIS.RC, to avoid detection. Agent.exe drops the two resources in the windows folder and are dropped as mpsvc.dll and MsMpEng.exe. MsMPEng.exe is an older version of Microsoft’s Antimalware Service executable that is vulnerable to a DDL side-loading attack. The malicious code in the DDL file has a similar name that is required for the target executable during the DDL side-loading attack. Agent.exe drops MsMpeng.exe and mpsvc.ddl and then executes MsMpeng.exe.

The Malicious Mpsvc.dll loads and executes when MpMseng.exe runs and calls the SeviceCrtMain. REvil ransomware conduct its Cryptographic Operations using OpenSSL. Malware brings code in memory using the “CreateFileMappingW” and “MapViewOfFile” functions to create a handle to the mapping and maps the file into memory space and returns a pointer to the start of the mapped file. Memory is allocated by the malware and the main payload (PRE file) is decrypted. Some of the magic contents including 0x4D5A (MZ) and 0x5045 (PE) are removed from the header allowing the malware to evade it. Malware then decrypts and bring config file in JSON format, the ransomware makes changes in the local Firewall rule, forces the computer to boot into safe mode with networking. REvil uses Elliptic-curve Diffie-Hellman key and Salasa20 to encrypt files. The ransomware terminates the processes including email clients, SQL and other database servers, Microsoft Office programs, browsers and other tools on the infected machines and then deletes Windows shadow copies of files and backups preventing file recovery.


SpearTip’s ShadowSpear platform defends your environment with unparalleled resources preventing cybersecurity threats and attacks from affecting your business. ShadowSpear integrates with cloud, network and endpoint devices providing security. ShadowSpear prevents ransomware from exploiting memory, stopping the threat before the full attack cycle. The ShadowSpear Platform is backed by the engineers in our 24/7 Security Operations Centers, ready to assist partners with security issues immediately.