Analytics Story: Revil Ransomware
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to the Revil ransomware, including looking for file writes associated with Revil, encrypting network shares, deleting shadow volume storage, registry key modification, deleting of security logs, and more.
Why it matters
Revil ransomware is a RaaS,that a single group may operates and manges the development of this ransomware. It involve the use of ransomware payloads along with exfiltration of data. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Sysmon EventID 13 |  Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Windows Event Log Security 4688 | Windows |
XmlWinEventLog |
XmlWinEventLog:Security |
| Sysmon EventID 1 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| CrowdStrike ProcessRollup2 | Other | crowdstrike:events:sensor |
crowdstrike |
| Sysmon EventID 7 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Powershell Script Block Logging 4104 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-PowerShell/Operational |
| Sysmon EventID 12 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 11 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
References
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/
- https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/
Source: GitHub | Version: 2