Exposing the Internet-Connected Infrastructure of the REvil Ransomware Gang - An In-Depth OSINT Analysis

Dear blog readers,

In this post I've decided to do an in-depth OSINT analysis on the recently busted REvil ransomware gang and decided to elaborate more and emphasize on the key fact in specific how come that a single ransomware group with several publicly accessible and easy to shut down C&C (command and control) server domains including several randomly generated Dark Web Onion URLs could easily result in millions of damage and who really remembers a situation when getting paid for getting hacked including the basic principle that you should never interact with cybercriminals but instead should passively and proactively monitor them could result in today's modern and unspoken ransomware growth epidemic and the rise of wrong buzz words as for instance ransomware-as-a-corporation where you basically have the bad guys obtain initial access to an organization's network and then hold its information encryption leading us to the logical conclusion who on Earth would pay millions of dollars to avoid possible bad reputation damage including to fuel growth into a rogue and fraudulent scheme as as for instance the encryption of sensitive company information and leaking it to the public in exchange for financial rewards.

Sample REvil ransomware gang publicly accessible C&C (command and control) servers include:

hxxp://decoder[.]re

hxxp://decryptor[.]cc - 136[.]243[.]214[.]30; 45[.]138[.]74[.]27

hxxp://decryptor[.]top

Related name servers known to have been used in the campaign include:

hxxp://1-you[.]njalla[.]no

hxxp://3-get[.]njalla[.]fo

hxxp://2-can[.]njalla[.]in

hxxp://1-you[.]njalla[.]no

Related responding IPs for hxxp://decryptor[.]cc:

2021/12/30 - 103[.]224[.]212[.]219

2021/10/23 - 198[.]58[.]118[.]167

2021/10/23 - 45[.]79[.]19[.]196

2021/10/23 - 45[.]56[.]79[.]23

2021/10/23 - 45[.]33[.]18[.]44

2021/10/23 - 72[.]14[.]178[.]174

2021/10/23 - 45[.]33[.]2[.]79

2021/10/23 - 45[.]33[.]30[.]197

2021/10/23 - 96[.]126[.]123[.]244

2021/10/23 - 45[.]33[.]23[.]183

2021/10/23 - 173[.]255[.]194[.]134

2021/10/23 - 45[.]33[.]20[.]235

2021/10/23 - 72[.]14[.]185[.]43

2021/10/08 - 78[.]41[.]204[.]37

2021/10/03 - 209[.]126[.]123[.]12

2021/09/24 - 78[.]41[.]204[.]28

2021/09/03 - 209[.]126[.]123[.]13

2021/08/19 - 78[.]41[.]204[.]38

2021/08/02 - 81[.]171[.]22[.]4

2021/07/27 - 81[.]171[.]22[.]6

2021/04/17 - 103[.]224[.]212[.]219

2020/11/10 - 45[.]138[.]74[.]27

2020/11/04 - 45[.]138[.]74[.]27

2020/09/14 - 136[.]243[.]214[.]30

2020/09/06 - 136[.]243[.]214[.]30

2020/08/30 - 212[.]22[.]78[.]23

2020/08/23 - 212[.]22[.]78[.]23

2020/07/30 - 212[.]22[.]78[.]23

2020/07/24 - 212[.]22[.]78[.]23

2020/07/07 - 212[.]22[.]78[.]23

2020/05/30 - 193[.]164[.]150[.]68

2020/05/20 - 193[.]164[.]150[.]68

2020/05/10 - 194[.]36[.]190[.]41

2020/05/08 - 194[.]36[.]190[.]41

2020/04/29 - 194[.]36[.]190[.]41

2020/04/06 - 194[.]36[.]190[.]41

2020/02/17 - 94[.]103[.]87[.]78

Related responding IPs for hxxp://decryptor[.]top (185[.]193[.]127[.]162; 192[.]124[.]249[.]13; 96[.]9[.]252[.]156):

2021/07/12 - 45[.]9[.]148[.]108

2020/09/18 - 185[.]193[.]127[.]162

2020/09/15 - 185[.]193[.]127[.]162

2020/08/07 - 185[.]193[.]127[.]162

2020/01/16 - 162[.]251[.]120[.]66

2019/12/23 - 45[.]138[.]96[.]206

2019/12/12 - 107[.]175[.]217[.]162

2019/10/07 - 96[.]9[.]252[.]156

2019/09/04 - 96[.]9[.]252[.]156

2019/07/15 - 91[.]214[.]71[.]139

Related MD5s known to have been involved in the campaign:

MD5: 57d4ea7d1a9f6b1ee6b22262c40c8ef6

MD5: fe682fad324bd55e3ea9999abc463d76

MD5: e87402a779262d1a90879f86dba9249acb3dce47

MD5: 4334009488b277d8ea378a2dba5ec609990f2338

MD5: 2dccf13e199b60dd2cd52000a26f8394dceccaa6

Stay tuned!