{"description": "Enterprise techniques used by REvil, ATT&CK software S0496 (v2.2)", "name": "REvil (S0496)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1134", "showSubtechniques": true}, {"techniqueID": "T1134.001", "comment": "[REvil](https://attack.mitre.org/software/S0496) can obtain the token from the user that launched the explorer.exe process to avoid affecting the desktop of the SYSTEM user.(Citation: McAfee Sodinokibi October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1134.002", "comment": "[REvil](https://attack.mitre.org/software/S0496) can launch an instance of itself with administrative rights using runas.(Citation: Secureworks REvil September 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[REvil](https://attack.mitre.org/software/S0496) has used HTTP and HTTPS in communication with C2.(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Secureworks REvil September 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[REvil](https://attack.mitre.org/software/S0496) has used PowerShell to delete volume shadow copies and download files.(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Talos Sodinokibi April 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[REvil](https://attack.mitre.org/software/S0496) can use the Windows command line to delete volume shadow copies and disable recovery.(Citation: Cylance Sodinokibi July 2019)(Citation: Talos Sodinokibi April 2019)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[REvil](https://attack.mitre.org/software/S0496) has used obfuscated VBA macros for execution.(Citation: G Data Sodinokibi June 2019)(Citation: Picus Sodinokibi January 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1485", "comment": "[REvil](https://attack.mitre.org/software/S0496) has the capability to destroy files and folders.(Citation: Kaspersky Sodin July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1486", "comment": "[REvil](https://attack.mitre.org/software/S0496) can encrypt files on victim systems and demands a ransom to decrypt the files.(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Talos Sodinokibi April 2019)(Citation: McAfee REvil October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)(Citation: Tetra Defense Sodinokibi March 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[REvil](https://attack.mitre.org/software/S0496) can decode encrypted strings to enable execution of commands and payloads.(Citation: G Data Sodinokibi June 2019)(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Secureworks REvil September 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1189", "comment": "[REvil](https://attack.mitre.org/software/S0496) has infected victim machines through compromised websites and exploit kits.(Citation: Secureworks REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks GandCrab and REvil September 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[REvil](https://attack.mitre.org/software/S0496) has encrypted C2 communications with the ECIES algorithm.(Citation: Kaspersky Sodin July 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "showSubtechniques": true}, {"techniqueID": "T1480.002", "comment": "[REvil](https://attack.mitre.org/software/S0496) attempts to create a mutex using a hard-coded value to ensure that no other instances of itself are running on the host.(Citation: SecureWorks September 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[REvil](https://attack.mitre.org/software/S0496) can exfiltrate host and malware information to C2 servers.(Citation: Secureworks REvil September 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[REvil](https://attack.mitre.org/software/S0496) has the ability to identify specific files and directories that are not to be encrypted.(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Secureworks REvil September 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[REvil](https://attack.mitre.org/software/S0496) can connect to and disable the Symantec server on the victim's network.(Citation: Cylance Sodinokibi July 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562.009", "comment": "[REvil](https://attack.mitre.org/software/S0496) can force a reboot in safe mode with networking.(Citation: BleepingComputer REvil 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[REvil](https://attack.mitre.org/software/S0496) can mark its binary code for deletion after reboot.(Citation: Intel 471 REvil March 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[REvil](https://attack.mitre.org/software/S0496) can download a copy of itself from an attacker controlled IP address to the victim machine.(Citation: Talos Sodinokibi April 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Picus Sodinokibi January 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1490", "comment": "[REvil](https://attack.mitre.org/software/S0496) can use vssadmin to delete volume shadow copies and bcdedit to disable recovery features.(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Talos Sodinokibi April 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)(Citation: Tetra Defense Sodinokibi March 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[REvil](https://attack.mitre.org/software/S0496) can mimic the names of known executables.(Citation: Picus Sodinokibi January 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[REvil](https://attack.mitre.org/software/S0496) can modify the Registry to save encryption parameters and system information.(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Secureworks REvil September 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[REvil](https://attack.mitre.org/software/S0496) can use Native API for execution and to retrieve active services.(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.011", "comment": "[REvil](https://attack.mitre.org/software/S0496) can save encryption parameters and system information in the Registry.(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Secureworks REvil September 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[REvil](https://attack.mitre.org/software/S0496) has used encrypted strings and configuration files.(Citation: G Data Sodinokibi June 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1069", "showSubtechniques": true}, {"techniqueID": "T1069.002", "comment": "[REvil](https://attack.mitre.org/software/S0496) can identify the domain membership of a compromised host.(Citation: Kaspersky Sodin July 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Secureworks REvil September 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[REvil](https://attack.mitre.org/software/S0496) has been distributed via malicious e-mail attachments including MS Word Documents.(Citation: G Data Sodinokibi June 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Picus Sodinokibi January 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055", "comment": "[REvil](https://attack.mitre.org/software/S0496) can inject itself into running processes on a compromised host.(Citation: McAfee REvil October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1012", "comment": "[REvil](https://attack.mitre.org/software/S0496) can query the Registry to get random file extensions to append to encrypted files.(Citation: Secureworks REvil September 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1489", "comment": "[REvil](https://attack.mitre.org/software/S0496) has the capability to stop services and kill processes.(Citation: Intel 471 REvil March 2020)(Citation: Secureworks REvil September 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[REvil](https://attack.mitre.org/software/S0496) can identify the username, machine name, system language, keyboard layout, OS version, and system drive information on a compromised host.(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)(Citation: Secureworks REvil September 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "showSubtechniques": true}, {"techniqueID": "T1614.001", "comment": "[REvil](https://attack.mitre.org/software/S0496) can check the system language using GetUserDefaultUILanguage and GetSystemDefaultUILanguage. If the language is found in the list, the process terminates.(Citation: Kaspersky Sodin July 2019)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1007", "comment": "[REvil](https://attack.mitre.org/software/S0496) can enumerate active services.(Citation: Intel 471 REvil March 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[REvil](https://attack.mitre.org/software/S0496) has been executed via malicious MS Word e-mail attachments.(Citation: G Data Sodinokibi June 2019)(Citation: McAfee REvil October 2019)(Citation: Picus Sodinokibi January 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[REvil](https://attack.mitre.org/software/S0496) can use WMI to monitor for and kill specific processes listed in its configuration file.(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Group IB Ransomware May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by REvil", "color": "#66b1ff"}]}