Introduction
Ransomware is a specific type of malware that holds data hostage in exchange for a ransom. It threatens to publish, block, or corrupt data—or prevent a user from accessing their computer unless they meet the attacker’s demands.
The Revil Ransomware-as-a-Service (RaaS) operation, also known as Sodinokibi surfaced shortly before GandCrab’s authors supposedly retired and quickly became one of the biggest ransomware threats.
Protection Mode
When security policy is set to protection mode, FortiEDR prevents the Revil ransomware from being executed as soon as it is accessed. FortiEDR detects this variant as W32/Kryptik.HCJV!tr.ransom.
Simulation Mode (Log only)
In Simulation mode, FortiEDR does not block malicious activity, only logs and alerts violations of FortiEDR security policies. Let's take a look at all of the events that FortiEDR has triggered for the Revil ransomware.
- File Write Access:
The Revil ransomware attempts to encrypt the Windows Boot Manager (bootmgr) that prevents the victim from booting the compromised system. The File Encryptor rule under the FortiEDR’s Ransomware Prevention policy detects and blocks the file write operation.
- Network Share Discovery:
The ransomware targeting networked SMB shares, attempting to enumerate all open network Server Message Block (SMB) shares and encrypt any that are found. FortiEDR detects and blocks the network activity.
- Network Discovery:
The ransomware attempts to enable network discovery using netsh.exe. Network Discovery allows to see other computers and devices connected to the same network. It also allows to transfer files between the connected devices on the network. With Network Discovery enabled, data transmitted between the connected computers or devices could be intercepted through network sniffing. The suspicious script execution rule under FortiEDR’s execution prevention policy detects and blocks this activity.
The ransomware runs the command "netsh.exe advfirewall firewall set rule group=Network Discovery new enable=Yes" to allow network discovery, which is captured by the FortiEDR's automated analysis.
- Modify OS Settings:
The ransomware attempting to modify the system registry has been detected by FortiEDR. After successfully encrypting all user files, the Revil ransomware modifies the registry key to change the Desktop wallpaper.
- WMI Access:
The ransomware executes the process Unsecapp.exe via COM. Unsecapp.exe is a Microsoft signed process, part of the WMI (Windows Management Instrumentation). WMI is used to communicate with local and remote systems and to perform tactics such as gathering data for Discovery and remote file execution as part of Lateral Movement. The following process creation is captured with the FortiEDR v5 threat hunting feature.
- File Creation
After encrypting user files, the ransomware note “6rgzi0fbw-readme.txt” is dropped. FortiEDR’s exfiltration policy detects and blocks new file creation.
- Ransomware Note
Threat Hunting
The registry value that’s modified by the ransomware can be located using FortiEDR’s v5 threat hunting feature.
After encrypting the user data, ransomware usually renames the files. The number of files renamed is rather large, and renaming this many files is unusual for any legitimate process. An unusually high rate of file renaming could be a sign of ransomware activity. The type "File Rename" can be used to monitor this behavior.
MITRE ATT&CK
T1016 System Network Configuration Discovery
T1135 Network Share Discovery
T1486 Data Encrypted for Impact
T1112 Modify Registry
T1047 Windows Management Instrumentation
T1059 Command and Scripting Execution
IOC
04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864
d74f04f0b948d9586629e06e2a2a21bdf20d678e47058afb637414eb3701c1f6
The FortiGuard Managed Detection and Response (MDR) Service is designed for customers of the FortiEDR advanced endpoint security platform. This team of threat experts monitors, reviews and analyzes every alert, proactively hunts threats, and takes actions on behalf of customers to ensure they are protected according to their risk profile.
