What is REvil Ransomware and How Does It Work?

Must read

Ransomware is a kind of malware that malicious cybercriminals use. When ransomware infects a system, it encrypts the data or blocks any access to the data. The cybercriminals then ask for ransom money before they can release the data. So, what is REvil ransomware? Find out in this article and learn how to prevent REvil ransomware.

What is REvil ransomware?

REvil ransomware is a prominent criminal group with several attacks attributed to it since April of 2019. The REVil ransomware is essentially a virus that blocks files and sends a message to the victims requesting a ransom. The victims have to pay the ransom, and the demand may double if they do not pay. REvil ransomware has extorted money from huge organizations across the world. It has since become the most widespread and notorious ransomware operator worldwide. The people behind REvil ransomware are a menace to organizations since they steal important business data threatening to release it on the dark web.


REvil operates as a Ransomware as a service (RaaS) model. Ransomware-as-a-service (RaaS) is a subscription model where the criminal group behind the ransomware develops the malware code. Then, affiliates use the malware code to perform ransomware attacks. REvil creates adaptable encryptors and decryptors, services for ransom negotiations, and a site to expose the stolen data if the victims fail to pay the ransom demand. 

The affiliates earn money from successful ransom payments, and REvil gets a percentage of the ransom as their fee. This arrangement has led to widespread attacks with threat actors using phishing, scan-and-exploit techniques, RDP servers, and backdoored software installers. 

How REvil Works

Now, let us see how REvil ransomware works;

1 Gaining Access

Most REvil threat actors access systems by using previously compromised credentials. With those, they can access assets via Remote Desktop Protocol (RDP) remotely. One other common tactic that they use to attack is phishing attempts. Other attack vectors that they have exploited are:

  • Using malicious email attachments that initiate a payload when they are open. This payload then downloads a QakBot malware that collects emails available in the local systems. Then, they archive the emails and send them to the attackers’ servers.
  • Employing RDP to get to internet-facing systems using compromised credentials.
  • Attaching malicious ZIP files. The ZIP files contain a macro-embedded Excel file. The file introduces a Ursnif infection that is utilized in compromising networks. 
  • Exploiting vulnerabilities in the system to get access to credentials. Vulnerabilities that are likely to be exploited are VPN and SonicWall flaws.

2 Establishing a Presence in The Network

After REvil threat actors gain access to a system, they establish a presence within the network. They tend to use Cobalt Strike BEACON. In most cases, they use remote connection software like ScreenConnect and AnyDesk. In other instances, they prefer to develop their own local and domain accounts, adding to the ‘Remote Desktop Users’ group. They then disable antiviruses and weaken any security processes that would disrupt their presence in the network. These strategies allow them to have continued access within the network.

3 Expanding Access and Gathering Intelligence

Even after the initial access, the REvil threat actors also need to access other accounts with more privileges to meet their objectives. For example, they could utilize Mimikatz to get cached credentials available on the localhost. REvil threat actors also use open-source tools to collect intelligence on the victims’ systems. They could also use administrative commands to gather more information. REvil has also been reported to use ProcessHacker and PCHunter to gain insight into processes and services within the victims’ environment.

4 Completing Objectives

The final step for REvil threat actors in their attacks is to encrypt the networks, withdraw data from the system, or destroy data so that the victims do not access it. 

REvil attackers usually use legitimate administrative tools such as PsExec to distribute ransomware encryptors. The encryptors have a text file with a list of IP Addresses and computer names obtained during their attacks. In some instances, the attackers logged into the host using individual domain accounts and manually executed the ransomware. For exfiltration of data, the threat actors used MEGASync software to exfiltrate archived data. Additionally, there have been instances where they used RCLONE to exfiltrate stolen data.

How Successful is REvil?

Most security experts recognize REvil to be among the most severe and prevalent RaaS operations, including Conti, DoppelPayment, Ryuk, etc. The success of REvil can be attributed to its use of skilled affiliates capable of accessing and navigating extensive victims’ networks. They can infect endpoints and demand ransoms. 

REvil threat actors have been successful in amassing impressive profits. They have achieved this by targeting not only poorly secured remote desktop protocols connections but also unpatched software. Successful ransomware operations are those that are constantly evolving. Unfortunately, REvil has done just that! 

How to Defend Against REvil

Countering REvil attacks should involve techniques of eliminating or reducing the initial attack threat surface. The common ways that threat actors use to gain initial access are phishing, RDP, and vulnerabilities. The defense against REvil should focus on minimizing these attack surfaces. To properly secure your system against these kinds of ransomware threats, you will need to identify any blind spots like rogue assets, applications, and users. These pose as high-risk attack vectors. 

Here are some of the best practices on how to prevent REvil ransomware attacks:

  • Being keen on identifying any unpatched and outdated operating systems and applications. Unpatched OS and software are some of the weakest links in security. It is, therefore, necessary to use the latest versions of software and operating systems. That will keep the attackers away. 
  • Monitor your system regularly. That will help identify anyone within your networks and ensuring that they are not going beyond their credential permissions. 
  • Encourage the use of strong passwords and perform regular password updates. These ensure that cases of credential theft are at a minimum. All users accessing your networks need to be compliant in abiding by the security requirements.
  • Ensure that internet communications are secure and that connections between browser and server are encrypted using an SSL certificate. These are ideal since they secure a site using strong 256-bit encryption. Choosing the right kind of SSL certificate for your bespoke needs may seem like a daunting task. But we have got you covered. If you own a website with multiple first-level subdomains under the main domain and plan to expand by adding more such subdomains, we suggest going for a wildcard SSL certificate. For example, you could try the comodo positive ssl wildcard certificate, as it provides you with premium encryption at unbeatable prices!
  • Provide awareness and education to all users. The people accessing your systems need to appreciate the importance of cybersecurity to ensure that they are following the best practices. 
  • Delete old accounts that are not in use since they can be used to access the system. 
  • Apply Multi-Factor Authentication to provide more layers of security. 
  • Ensure that any administrative activities happen through a jump host. 
  • Have data backups to ensure that there is a seamless disaster recovery and data restoration. 

Wrap Up

Recovering from a ransomware attack can cost an organization immense sums of money. It is, therefore, crucial to prevent such kinds of attacks as much as possible. The best defense against any ransomware attack is employing a comprehensive strategy. It should involve training, utilizing the best safety procedures, having offsite data backups, and conducting regular cybersecurity audits and assessments.

More articles

Leave a Reply

- Advertisement -

Latest article