The domain name configuration contains 1229 characters: If the NET field is configured as “True“ (default is false), basic information about the victim host and the generated Key will be sent to the C&C server.
The files are encrypted by traversing all directories, with the directories shown below excluded:Ī ransom information txt file is created in each directory:Īfter encryption is completed, the host desktop background is changed to the iconic blue background with a message stating the ransomware attack occurred and name of the ransom note: Processes are then listed to see if the following processes exist, and terminated them if they do exist: Services are enumerated and checked whether a service name is in the following list, deleting the service if it is included in the list: REvil then increases the permissions of its own processes: The SHEmptyRecycleBinW function empties the recycle bin, and SetThreadExecutionState is used to prevent the host from entering the sleep mode: Subkey = "SOFTWARE\Microsoft\Windows NT\CurrentVersion"Ī mutex is created to prevent repeated execution: Subkey = "SYSTEM\CurrentControlSet\services\Tcpip\Parameters" If the value does not exist, a 7-bit encrypted suffix is generated, the key value will be created later, and the value will be set as the encrypted suffix:īasic host information is collected, including username, host name, disk type, and the values of the following registry keys: You can see the x4WHjRs value of the registry key BlackLivesMatter under HKEY_LOCAL_MACHINE\SOFTWARE and HKEY_LOCAL_USER\SOFTWARE.
/cloudfront-us-east-2.images.arcpublishing.com/reuters/MGK7BA4WRVL47IASBCWIERMGVE.jpg "apple ransomware attack")
First, it decrypts the required character resource collection from the memory: It just loads the exported function ServiceCrtMain() in MpSvc.dll:Īfter decrypting the two layers of payload in MpSvc.dll, it starts to execute malicious functions. The two files are placed into the temp directory, then cmd.exe is run using the /c parameter to execute MsMpEng.exe in the background: They have forged digital signatures for all three files, with svchost.exe and MpSvc.dll using the same forgery signature, and MsMpEng.exe forging Microsoft's signature.ĭouble-click to run the svchost.exe, then the MsMpEng.exe and MpSvc.dll will run looking for resources: The REvil ransomware virus matrix includes two parts: an EXE file and a DLL file, which are all encapsulated in an executable file named svchost.exe. The directory keywords excluded from encryption no longer contain "tencent files," and "wechat files". Technical analysis shows that REvil has made improvements to its anti-virus evasion technology, forging of digital signatures for both its matrix and components, staged operation first through file release and then using DLL calls, and passing function codes through multi-layer payload decryption.Īnalysts have found that the ransomware attack files have some differences from previous ransomware attack files. Sangfor FarSight Labs has been tracking the technical evolution and model development of the REvil ransomware group, capturing the current ransomware matrix in this attack.
In April 2021 REvil was used to invade Taiwanese Apple supplier Quanta, asking for a ransom of US$50 million for the return of Apple Watch design data. Sodinokibi) ransomware group has been quite active in 2021, the latest attack against a computer giant, encrypting devices and stealing data. What's the Difference Between REvil and Other Ransomware? Background of REvil Ransomware:
0 kommentar(er)
