Revil Ransomware used in Kaseya
Attackers compromised up to 1500 companies during massive ransomware attack, which is now reported as one of the largest cyber attacks ever. Victims have been infected with REvil ransomware, which is similar to DarkSide ransomware used recently in Colonial Pipeline attack. However, this time, the deployed REvil ransomware was more obfuscated than versions observed in beginning of 2021. In this article, we will discuss the obfuscation techniques used by REvil in Kaseya incident.
DarkSide Ransomware
DarkSide Ransomware is a very hot topic now, especially after the Compromise of Colonial Pipeline networks, which has been investigated by FBI, too. It caused so serious problems that even hackers said that they “didn’t mean to create problems”. However, DarkSide ransomware is not something completely new, and it is similar to the infamous Revil/Sodinokibi ransomware. In this post, I would like to highlight some significant similarities between newer samples of both ransomwares with insights about DarkSide victims based on custom ransom notes.
GandCrab String Decryption Update
Introduction In the post about GandCrab String Decryption I use very simple heuristic for identifying the function for string decryption. Because this kind of funtion is usually heavily used, I made an assumption that the scting decryption function is the most used function in our sample. This assumption is correct for GandCrab v5.1 DLL files, but it turns out that it is not true for GandCrab v5.2 and v.53. EXE samples.
GandCrab String Decryption
Introduction In the last arcitle about Ursnif campaign have been presented the ursnif powershell downloader, which was also able to download the GandCrab payload. This payload was injected as DLL library into the running process and during the last analysis I have extracted it. Now, it is time to look more closely at this GandCrab sample.
Obfuscated strings After a quick look at the disassembly we can notice many calls to one particular function, in our case named by IDA as sub_10009E69.