Secureworks Counter Threat Unit (CTU) researchers recently identified a REvil ransomware version 2.02 sample in the wild. CTU analysis of the sample revealed several modifications that increase REvil’s ability to encrypt files and enable it to continue file encryption if the infected computer was turned off and restarted before the original encryption process was complete.
These modifications include:
• Implements resource conflict control: To successfully encrypt a file, REvil must first obtain a handle on the target file. Obtaining a handle on a file can fail for a number of reasons, including lack of permissions or resource conflicts. REvil 2.02 enhanced its encryption function by implementing logic that addresses resource conflicts to maximize total files encrypted. The KillResourceLock function leverages the Windows Restart Manager to kill processes or services that hold a resource lock on the file that REvil is attempting to encrypt. If the function resolves the resource conflict, REvil encrypts the target file. Otherwise, the file is skipped.
• Reimplements persistence and self-deletion: After removing the persistence and self-deletion functionalities from REvil 2.01, the malware authors reimplemented them in version 2.02. The persistence mechanism ensures that file encryption will continue if the infected computer was turned off and restarted before the original encryption process was complete. REvil’s persistence capability is controlled by the ‘arn’ configuration key value, which is a Boolean true or false value.
• Adds ‘-silent’ command-line argument to control ‘killshot’ functions: REvil 2.01 added logic to its main function that rendered killshot functions optional. These functions, which can kill blacklisted processes, delete blacklisted services, and delete shadow copies, could be enabled or disabled by setting a Boolean control variable to either true or false.
However, the malware author neglected to implement logic that sets this variable, so the killshot functions could not execute in REvil 2.01. REvil 2.02 addresses this oversight by implementing the ‘-silent’ command-line argument. If this argument is not passed, the Boolean control variable is set to true, which executes the killshot functions. If -silent is passed, the Boolean control variable is set to false, which skips the killshot functions.
• Updates registry keys: In REvil 2.02, the registry Run key used for persistence has the hard-coded value ‘mjOObKp0yy’. The registry key used to store encryption-related information was changed to SOFTWARE\Facebook_Assistant. The value names stored within this key also changed, consistent with the author’s pattern of renaming the registry values in each version.
The CTU research team has developed the Red Cloak countermeasures to detect activity associated with this threat and is investigating the feasibility of iSensor countermeasures. Third-party devices receive updated protection as it is released from the respective vendors and deployed by Secureworks device management security teams.