Ransom Tales: Volume V — Emulating REvil, DarkSide, and BlackMatter Ransomware

Summary

This article covers the fifth volume of AttackIQ’s Ransom Tales series, which recreates the tactics, techniques, and procedures of three notorious ransomware families—REvil, DarkSide, and BlackMatter. Each scenario walks through execution, persistence, discovery, defense evasion, and impact stages to enable defenders to validate detection and response playbooks. The emulations reproduce hallmark behaviors, such as DLL search order hijacking, registry abuse, scheduled tasks for persistence, VSS shadow copy deletion, and strong cryptographic file encryption. The piece also revisits major supply-chain intrusions and tracks how ransomware-as-a-service has matured over time.

Ransomware Attack Analysis

AttackIQ’s Adversary Research Team drew on public threat-intel reporting and malware samples to craft realistic attack graphs for each ransomware family. Researchers mapped individual steps to MITRE ATT&CK technique IDs and designed execution paths that retrieve payloads, establish persistence, enumerate host and domain information, and encrypt files. The team also modeled the use of known CVE exploits leveraged by DarkSide for initial access. The investigation underscores shared tooling, overlapping infrastructure, and code reuse by REvil, DarkSide, and BlackMatter ransomware families.

Mitigation

Recommended mitigation actions focus on enforcing the principle of least privilege, disabling non-essential services, and rapidly patching exposed systems, including known VMware ESXi vulnerabilities. Teams are urged to restrict remote desktop access, closely monitor for suspicious registry changes and newly created scheduled tasks, and deploy robust application control. The guidance further stresses the role of endpoint detection technologies and routine verification of backups to contain the blast radius of ransomware incidents.

Response

When ransomware-style activity is detected, responders should immediately isolate impacted systems, capture volatile memory, collect relevant registry hives, and preserve log sources. Forensic review should examine shadow copies, scheduled tasks, and registry keys for signs of REvil, DarkSide, or BlackMatter tradecraft. Recovery involves restoring data from clean, validated backups and hunting for lateral movement attempts using SMB and LDAP credentials. Finally, teams should brief stakeholders, document the incident, and enrich findings with threat intel to support attribution and future defensive improvements.

Simulations

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

• Attack Narrative & Commands:
  The REvil operator targets the victim machine to ensure that the ransomware payload launches automatically after a reboot. Using a PowerShell dropper, the attacker creates three registry modifications that the rule monitors:

  1. Create a deceptive “BlackLivesMatter” key under the Wow6432Node branch – a known REvil indicator.
  2. Enable AutoAdminLogon to force automatic logon of a privileged account after reboot, facilitating ransomware execution.
  3. Add a payload to the RunOnce key so the malicious executable runs once at system start.

  All three actions are performed with elevated rights, generating Security Event ID 13 entries that match the Sigma rule’s selection filter.

• Regression Test Script:

  # -------------------------------------------------
  # REvil Registry Manipulation Simulation (TC-20251114-3Z7XQ)
  # -------------------------------------------------
  # 1. BlackLivesMatter key (HKLM\SOFTWARE\WOW6432Node\BlackLivesMatter)
  $blmKey = 'HKLM:\SOFTWARE\WOW6432Node\BlackLivesMatter'
  New-Item -Path $blmKey -Force | Out-Null
  New-ItemProperty -Path $blmKey -Name 'Command' -Value 'C:\Temp\revil_payload.exe' -PropertyType String -Force
  
  # 2. AutoAdminLogon activation
  $autoAdminKey = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'
  Set-ItemProperty -Path $autoAdminKey -Name 'AutoAdminLogon' -Value '1' -Force
  
  # 3. RunOnce persistence for the payload
  $runOnceKey = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce'
  New-Item -Path $runOnceKey -Force | Out-Null
  New-ItemProperty -Path $runOnceKey -Name 'RevilStart' -Value 'C:\Temp\revil_payload.exe /quiet' -PropertyType String -Force
  
  Write-Host "REvil registry simulation completed. Verify alerts in SIEM."

• Cleanup Commands:

  # -------------------------------------------------
  # Cleanup REvil Registry Simulation Artifacts
  # -------------------------------------------------
  # Remove BlackLivesMatter key
  Remove-Item -Path 'HKLM:\SOFTWARE\WOW6432Node\BlackLivesMatter' -Recurse -Force -ErrorAction SilentlyContinue
  
  # Reset AutoAdminLogon (set to 0 or remove)
  Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' `
      -Name 'AutoAdminLogon' -Value '0' -Force
  
  # Remove RunOnce entry
  Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce' `
      -Name 'RevilStart' -Force -ErrorAction SilentlyContinue
  
  Write-Host "Cleanup completed."