Home / Industry

REvil Ransomware: What Can We Learn from Published IoCs in 2022?

Ransomware has been one of the biggest threats to Internet users the world over since the malware first surfaced. REvil was one of the most notorious ransomware variants of 2021, pushing the U.S. Department of State to offer a US$10 million reward to anyone who can name and locate REvil gang leaders and up to US$5 million for any of their affiliates in November.

Several security predictions reports say ransomware will continue to be a top threat this year. In an effort to help individuals and companies alike reduce their chances of becoming the next REvil victim, we obtained a list of known indicators of compromise (IoCs) for expansion.

Our analysis led us to these findings:

  • 103 IP address resolutions of the 99 domains
  • 15 of the 103 IP addresses (15%) are dubbed “dangerous” by various malware engines
  • 16 origin countries and 52 Internet service providers (ISPs) of the connected IP addresses
  • 75 domains that shared the 15 malicious IP hosts

As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated all pertinent data and made it available to anyone interested. You may download the related threat research materials here.

What Publicly Available Threat Sources Say

The first step we took was to look for a publicly accessible list of REvil IoCs. AlienVault gave us 99 known REvil-related domains. We also know that the REvil gang disappeared from the Internet in July 2021. They resurfaced in September that same year. Finally, a suspected REvil gang member was arrested in November 2021.

IoC List Expansion

To add artifacts to the pre-identified web properties, we subjected the domains to DNS lookups. That provided us with a list of 103 unique IP address resolutions.

Malware checks via Threat Intelligence Platform (TIP) revealed that 15 of the connected IP addresses are dangerous, according to various malware databases. These IP addresses are:

  • 192[.]0[.]78[.]13
  • 192[.]0[.]78[.]12
  • 164[.]132[.]235[.]17
  • 23[.]227[.]38[.]65
  • 192[.]99[.]236[.]66
  • 185[.]230[.]63[.]186
  • 185[.]230[.]63[.]107
  • 23[.]185[.]0[.]2
  • 141[.]138[.]169[.]215
  • 18[.]189[.]231[.]213
  • 77[.]72[.]0[.]150
  • 208[.]100[.]26[.]245
  • 136[.]243[.]123[.]152
  • 89[.]145[.]92[.]32
  • 13[.]248[.]216[.]40

Subjecting the 103 IP addresses to a bulk IP geolocation lookup revealed that the 103 IP addresses originated from 16 countries. A majority of the IP addresses trace their roots to the U.S. (56), followed by Germany (14) and France (9).

Chart 1: Countries where the IP addresses point to

It may not be surprising that many of the IP addresses are based in the U.S., given that the gang has been terrorizing many of the country’s enterprises (hence the U.S. Department of State ransom offering). And while alleged gang member Yaroslav Vasinskyi is a Ukrainian national, notice that only one of the IP addresses (185[.]68[.]16[.]21) is based in the Ukraine. Vasinskyi was arrested in Poland, which could mean he has been hiding out in the country for some time. Note that cybercriminals make it a point to hide their real locations, hence the lack of IP addresses geolocated in the Ukraine (where Vasinskyi is from) and Poland (where he was arrested).

The bulk IP geolocation lookup also showed that the IP addresses were hosted by 52 ISPs led by Cloudflare, Inc. (21), Amazon.com, Inc. or Amazon Technologies, Inc. (EC2) (6), and Hetzner Online GmbH (6).

Chart 2: ISPs of the connected IP addresses

ISP information is crucial for takedown purposes if you wish to request for such an action.

In addition to blocking and stricter traffic monitoring, users should also be wary of or interested in checking the domains that share the dangerous IP hosts. Subjecting them to reverse IP lookups provided a list of 75 domains that shared the malicious IP hosts. While none of them are getting detected as dangerous, monitoring access to them at the least is worth doing given their connection to IP addresses.


For additional protection against REvil, it’s essential to closely monitor the malicious IP addresses and unknown ones that don’t belong to trusted contacts and are geolocated in the 16 origin countries identified. Reporting the malicious IP addresses to their respective ISPs for takedown may also prove helpful.

As we’ve seen in this post, REvil and other ransomware variants may still pose great risk to Internet users as evidenced by the continued existence of related web properties.

If you wish to perform a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

DNS

Sponsored byDNIB.com