|
||
|
||
Ransomware has been one of the biggest threats to Internet users the world over since the malware first surfaced. REvil was one of the most notorious ransomware variants of 2021, pushing the U.S. Department of State to offer a US$10 million reward to anyone who can name and locate REvil gang leaders and up to US$5 million for any of their affiliates in November.
Several security predictions reports say ransomware will continue to be a top threat this year. In an effort to help individuals and companies alike reduce their chances of becoming the next REvil victim, we obtained a list of known indicators of compromise (IoCs) for expansion.
Our analysis led us to these findings:
As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated all pertinent data and made it available to anyone interested. You may download the related threat research materials here.
The first step we took was to look for a publicly accessible list of REvil IoCs. AlienVault gave us 99 known REvil-related domains. We also know that the REvil gang disappeared from the Internet in July 2021. They resurfaced in September that same year. Finally, a suspected REvil gang member was arrested in November 2021.
To add artifacts to the pre-identified web properties, we subjected the domains to DNS lookups. That provided us with a list of 103 unique IP address resolutions.
Malware checks via Threat Intelligence Platform (TIP) revealed that 15 of the connected IP addresses are dangerous, according to various malware databases. These IP addresses are:
Subjecting the 103 IP addresses to a bulk IP geolocation lookup revealed that the 103 IP addresses originated from 16 countries. A majority of the IP addresses trace their roots to the U.S. (56), followed by Germany (14) and France (9).
It may not be surprising that many of the IP addresses are based in the U.S., given that the gang has been terrorizing many of the country’s enterprises (hence the U.S. Department of State ransom offering). And while alleged gang member Yaroslav Vasinskyi is a Ukrainian national, notice that only one of the IP addresses (185[.]68[.]16[.]21) is based in the Ukraine. Vasinskyi was arrested in Poland, which could mean he has been hiding out in the country for some time. Note that cybercriminals make it a point to hide their real locations, hence the lack of IP addresses geolocated in the Ukraine (where Vasinskyi is from) and Poland (where he was arrested).
The bulk IP geolocation lookup also showed that the IP addresses were hosted by 52 ISPs led by Cloudflare, Inc. (21), Amazon.com, Inc. or Amazon Technologies, Inc. (EC2) (6), and Hetzner Online GmbH (6).
ISP information is crucial for takedown purposes if you wish to request for such an action.
In addition to blocking and stricter traffic monitoring, users should also be wary of or interested in checking the domains that share the dangerous IP hosts. Subjecting them to reverse IP lookups provided a list of 75 domains that shared the malicious IP hosts. While none of them are getting detected as dangerous, monitoring access to them at the least is worth doing given their connection to IP addresses.
For additional protection against REvil, it’s essential to closely monitor the malicious IP addresses and unknown ones that don’t belong to trusted contacts and are geolocated in the 16 origin countries identified. Reporting the malicious IP addresses to their respective ISPs for takedown may also prove helpful.
As we’ve seen in this post, REvil and other ransomware variants may still pose great risk to Internet users as evidenced by the continued existence of related web properties.
If you wish to perform a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byCSC
Sponsored byDNIB.com
Sponsored byRadix
A World-Renowned Source for Internet Developments. Serving Since 2002.