Ransomware

Notorious REvil Ransomware Gang Launched a New Linux Variant to Attack Linux systems

One of the most active Notorious Ransomware operator gang “REvil” has spread the new variant of ransomware that targets the Linux systems after so many successful attacks against Windows systems around the globe.

REvil ransomware AKA Sodinokibi is one of the most successful ransomware variants in cyberattack history and compromised tens of thousands of victims globally. It is operating as a ransomware-as-a-service model where a set of people maintain the source code and other affiliate groups distribute the ransomware.

Apart from this, Approximately more than 1 million systems were infected with this ransomware, as the hackers have claimed on their darknet portal that includes the recent Kaseya’s Ransomware Attack that hits 40 Customers worldwide and demand $70 Million from the victim to provide the decryption tools.

Researchers from AT&T Labs uncovered 4 REvil Linux variants believed that the Ransomware authors are expanding their arsenal and targeting the ESXi and NAS devices.

REvil is not targeting specific victims instead it attacks several sectors of victims including financial, Energy, Consulting, Healthcare, Information Technology, Hospitality, Manufacturing industries located in the US, Italy, Taiwan, Brasil, the United Kingdom, Australia and more.

REvil Linux Variant Infection Process

A recent report from one of the well-known dark web blogs stated that REvil ported their Windows ransomware version to the Linux architecture.

The first sample of the REvil ransomware linux variant that comes with ELF64 executables has observed on may 2021, and it was infected the *nix systems and ESXi, also the samples are similar to the Windows REvil executable.

During the attack phase, REVil runs the command line tool called “esxcli” to find that how many VMs are running and terminate them to avoid corrupting files during the encryption process.

According to the AT&T report, “When execution starts, the malware will first check if its configuration exists. The configuration file format is very similar to the one observed for REvil Windows samples, but with fewer fields. Some of the fields presented in both versions”

During the process of encryption, the Ransomware variant generates the 64 bytes XOR key which is based on the configuration file PK key and the same key will be used for the encryption process.

Once it will complete the encryption process, it will write a key at the end of every file on the targeted system along with the ransomware notes in each folder.

Hard-coded ransom note after decoding

Attackers behind this REvil RaaS have rapidly developed a Linux version to compete against the recently released Linux version of DarkSide. researchers said.

You can also read: Ransomware Attack Response and Mitigation Checklist

Indicator of Compromise

SHA256

ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4
d6762eff16452434ac1acc127f082906cc1ae5b0ff026d0d4fe725711db47763
796800face046765bd79f267c56a6c93ee2800b76d7f38ad96e5acb92599fcd4
3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d


Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Multiple Splunk Vulnerabilities Attackers Bypass SPL Safeguards : Patch Now

Splunk Inc. has disclosed two significant vulnerabilities within its software suite, posing a considerable risk…

4 hours ago

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report that highlights…

17 hours ago

C2A Security’s EVSec Risk Management and Automation Platform Gains Automotive Industry Favor as Companies Pursue Regulatory Compliance

In 2023, C2A Security added multiple OEMs and Tier 1s to its portfolio of customers,…

18 hours ago

Apple ID “push bombing” Attack Targeting Apple Users to Steal passwords

Apple users are falling prey to a sophisticated phishing campaign designed to hijack their Apple…

20 hours ago

Hackers Using Weaponized Virtual Hard Disk Files to Deliver Remcos RAT

Hackers have been found leveraging weaponized virtual hard disk (VHD) files to deploy the notorious…

20 hours ago

NVIDIA ChatRTX For Windows App Vulnerability Let Attackers Escalate Privilege

A security update released by ChatRTX on March 26th, 2024, addresses two vulnerabilities (CVE-2024-0082 and…

1 day ago