Rewterz Threat Alert – REvil Ransomware – Active IOCs

Severity

High

Analysis Summary

REvil, also known as Sodinokibi, is ransomware-like malware. This group has gained recognition for its high-profile attacks since its discovery in 2019. Among other tools, it employs advanced encryption techniques and can function without connection to control servers. In July 2021, the REvil ransomware group exploited the Kaseya VSA tool used to perform client monitoring and patch management by MSPs. The gang first compromised the VSA software and then deployed their ransomware on the on-premise servers of enterprise networks. More than 1500 organizations were compromised in that breach.
This ransomware has been used against organizations in the manufacturing, transportation, and electric sectors.
Recently, the REvil ransomware gang appears to be back after the FBS detained 14 of its members in January after a hiatus in activity.

Impact

• Data Encryption

Indicators of Compromise

MD5

• 8a18fa2696f31992ef9bb3a971724f29
• a80bcbe62fd8d070796a757e3ca2a21b
• a055246b0e804eb3a1dda52937f556ef
• 8203a583c5eef23e5fa7fa9d1506d430
• 48a673157da3940244ce0dfb3ecb58e9

SHA-256

• ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397
• 2bad63edfca3e163691110868bfafe4c2fea3ee72f5dc520bee5d4401cec3cec
• a29f63484f53d2cf832b2bc70d6b66378b87b86221f885d0f43166503d631ef3
• b78469fb8eff53d82081bdcb0dbb3436f239b8ca6ef7fd800ce5ba7e098c256f
• 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac

SHA-1

• 5aa9a303eedb9d0a6f0dc5d6c78ccd90b1e6852f
• d9edd7a50a0e94cf764c7c5d77361e83cb62ccac
• 6807425e1252f1154664fc8072dde03558ed35fe
• a03db11124592b36137f3603afdba5e3c999aae9
• f69f954699eaabec17a0157ed3503e7ee2ae8474

Remediation

• Block all threat indicators at your respective controls
• Search for IOCs in your environment.