Notorious REvil Ransomware Gang Launched a New Linux Variant to Attack Linux systems

One of the most active Notorious Ransomware operator gang “REvil” has spread the new variant of ransomware that targets the Linux systems after so many successful attacks against Windows systems around the globe.

REvil ransomware AKA Sodinokibi is one of the most successful ransomware variants in cyberattack history and compromised tens of thousands of victims globally. It is operating as a ransomware-as-a-service model where a set of people maintain the source code and other affiliate groups distribute the ransomware.

Apart from this, Approximately more than 1 million systems were infected with this ransomware, as the hackers have claimed on their darknet portal that includes the recent Kaseya’s Ransomware Attack that hits 40 Customers worldwide and demand $70 Million from the victim to provide the decryption tools.

Researchers from AT&T Labs uncovered 4 REvil Linux variants believed that the Ransomware authors are expanding their arsenal and targeting the ESXi and NAS devices.

REvil is not targeting specific victims instead it attacks several sectors of victims including financial, Energy, Consulting, Healthcare, Information Technology, Hospitality, Manufacturing industries located in the US, Italy, Taiwan, Brasil, the United Kingdom, Australia and more.

REvil Linux Variant Infection Process

A recent report from one of the well-known dark web blogs stated that REvil ported their Windows ransomware version to the Linux architecture.

The first sample of the REvil ransomware linux variant that comes with ELF64 executables has observed on may 2021, and it was infected the *nix systems and ESXi, also the samples are similar to the Windows REvil executable.

During the attack phase, REVil runs the command line tool called “esxcli” to find that how many VMs are running and terminate them to avoid corrupting files during the encryption process.

According to the AT&T report, “When execution starts, the malware will first check if its configuration exists. The configuration file format is very similar to the one observed for REvil Windows samples, but with fewer fields. Some of the fields presented in both versions”

During the process of encryption, the Ransomware variant generates the 64 bytes XOR key which is based on the configuration file PK key and the same key will be used for the encryption process.

Once it will complete the encryption process, it will write a key at the end of every file on the targeted system along with the ransomware notes in each folder.

Hard-coded ransom note after decoding

Attackers behind this REvil RaaS have rapidly developed a Linux version to compete against the recently released Linux version of DarkSide. researchers said.

You can also read: Ransomware Attack Response and Mitigation Checklist

Indicator of Compromise

SHA256

ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4
d6762eff16452434ac1acc127f082906cc1ae5b0ff026d0d4fe725711db47763
796800face046765bd79f267c56a6c93ee2800b76d7f38ad96e5acb92599fcd4
3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d