Home Malware Programs Ransomware REvil Ransomware

REvil Ransomware

Posted: July 16, 2019

The REvil Ransomware, also known as Sodinokibi or Sodin, is a file-locking Trojan that blocks media on your computer by encrypting it. The REvil Ransomware uses a Ransomware-as-a-Service deployment method, and third-party criminals may distribute it by hacking into vulnerable servers, seeding torrents or sending spam e-mails. Let your anti-malware services uninstall the REvil Ransomware whenever they identify it and keep backups for countering the loss of files.

The GandCrab Ransomware's Evil Comes Back to Life

The much-anticipated retirement of the GandCrab Ransomware's 'family business' is hitting on a hitch – its threat actors may not be being honest about their leaving the industry behind them. A new type of file-locker Trojan with some suspicious internal similarities to that Ransomware-as-a-Service threat is out in the wild, albeit with a highly-selective partnership model. The REvil Ransomware, AKA Sodinokibi, could be the successor to the old RaaS and uses many of the same attacks.

The REvil Ransomware, like GandCrab Ransomware, uses encryption for locking files on the user's computer and prioritizes content like documents, pictures and other media. It also takes care for deleting the Shadow Volume Copy backups through abusing the Windows CMD utility – which is standard behavior for threats of this category. Then, it drops a text message that demands a ransom and provides a link to an anonymous, TOR website for buying the threat actor's decryptor.

The possibility of the REvil Ransomware's being a GandCrab Ransomware replacement lies in more than the timing of its appearance. The REvil Ransomware shares a similar country-filtering list that excludes Soviet satellite regions (and Syria), uses the same style of URL generation and contains GandCrab Ransomware family-reminiscent programming methodology. None of these factors are indisputable evidence of the connection, but, overall, the picture is one of the REvil Ransomware's taking over the business that its forebear made billions out of running.

Taking Out File-Locking Crime as Its Leadership Swaps Faces

The REvil Ransomware is more than just a theoretical or in-development threat, unlike some of the file-locker Trojans of July. Malware experts are confirming attacks deploying the REvil Ransomware manually after compromising the target's server infrastructure without requiring e-mail downloads or other, 'inviting' contact from an inside user. The exploitation of CVE-2019-2725, a remote code execution vulnerability for Oracle WebLogic Server, is a primary factor. There is a patch for this weakness, and concerned server admins should double-check for security updates.

The REvil Ransomware is no more decryptable than the GandCrab Ransomware or other, similarly-competently-programmed Ransomware-as-a-Service families. Users should save backups of their media on other devices as a means of preserving content against file-locker Trojans' attacks. While the REvil Ransomware does provide a ransom-based recovery option, paying may not give the victim their files, and rarely includes a realistic possibility of getting a refund.

Updated and Windows-compatible anti-malware software remains ideal for protecting systems from intrusions by this threat or removing the REvil Ransomware after infection, in worst-case circumstances.

It's too much to hope for criminals leaving money on the table, untaken. Until everyone learns how to keep their files secure, the REvil Ransomware, or another Trojan just like it, will always be around.

Related Posts

Loading...