Severity scale:  
  (99/100)

Remove REvil ransomware (Removal Instructions) - Recovery Instructions Included

removal by Olivia Morelli - - | Type: Ransomware

REvil ransomware is a sophisticated malware family that uses RaaS scheme to proliferate the threat worldwide

REvil ransomware
REvil ransomware is file locking malware that uses a variety of infiltration methods, as well as sophisticated evasion techniques

REvil ransomware is a data locking virus that was first spotted back in April 2019 by security researchers from Cisco Talos.[1] Otherwise known as Sodinokibi/Sodin, the threat started off by exploiting zero-day vulnerability CVE-2019-2725.[2] It allows attackers to remotely connect to the host machine with the HTTP access to the Oracle's WebLogic server and inject the malware manually. Initially, the payload was delivered with the notorious GandCrab 5.2 ransomware, which is now believed to be its successor.

Once inside, REvil virus uses Salsa20 encryption algorithm (based on ECDH[3] key exchange method) to encrypt all data on the hard drive and the connected networks. It appends a randomly-generated extension to databases, documents, pictures, and other files.Additionally, it drops a [random]-readme.txt or HOW-TO-DECRYPT.txt ransom note and changes the desktop wallpaper. The text files explains that victims need to install TOR web browser and visit a provided link. Hackers then ask for $2,500 ransom in Bitcoin, and the demand is doubled if it not paid within five days.

Name REvil
Also known as Sodinokibi/Sodin
Type Ransomware
Cipher Salsa20
File extension Randomly generated
Related files sodinokibi.exe
Ransom note [random]-readme.txt or HOW-TO-DECRYPT.txt
Ransom size $2,500 which doubles after 5 days
Distribution CVE-2019-2725, CVE-2018-8453, Rig exploit kit, spam emails, unprotected RDP, etc.
Decryption Files can only be decrypted with the help of backups. Alternatively, users can try using third party recovery software (we provide download links and instructions in the recovery section below)
Termination Use reputable anti-malware software, such as Reimage or SpyHunter 5Combo Cleaner 

REvil ransomware is believed to be the next GandCrab, as security researchers managed to find many similarities between the two. Besides, the developers of malware might be the same as well, even if they claimed to be retired by now. The malware uses more sophisticated techniques for its distribution, obfuscation, and operation, so it seems like hackers upped their game, and are going for more profits.

The ransom note [random]-readme.txt states the following:

Hello dear friend!

Your files are encrypted, and, as a result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got a 6d4q6r3o extension.

Instructions into the TOR network
———————————-
Install TOR browser from https://torproject.org

Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C2D97495C4BA3647 

Instructions into WWW (The following link can not be in work state, if true, use TOR above):
———————————-
Visit the following link: http://decryptor.top/C2D97495C4BA3647

Victims of REvil are lead to a TOR page that presents a ransom amount of $2,500 and the timer which expires after five days. This creates an urgency situation for users, prompting them to pay as soon as possible.

While there is no decryption tool available for this sophisticated threat, there are alternative data recovery methods that you can use. Nevertheless, you need to remove REvil ransomware before you proceed with the file recovery process. For that use anti-malware software such as Reimage or SpyHunter 5Combo Cleaner, although other reputable tools can help you as well.

REvil ransomware virus
REvil is a ransomware-type virus that used CVE-2019-2725, CVE-2018-8453, Rig EK, along with other techniques to proliferate its targets

The advanced operation of  REvil ransomware is set to retain a maximum amount of profits

While initially the malware was spotted being spread via the WebLogic flaw, REvil ransomware authors later adapted broader techniques, such as:

  • Spam email attachments
  • Rig exploit kit
  • Hacked sites
  • Unprotected RDP configurations
  • Managed Service Provider hacks, etc.

In one of the campaigns, hackers behind REvil ransomware used a former Windows zero-day CVE-2018-8453,[4] which was also previously used by a state-sponsored hacking group FruityArmor since August 2018.

Upon infiltration, REvil ransomware performs a variety of changes to the infected computer before it starts the file encryption. It removes shadow volume copies, modifies Windows registry database, disables Windows repair function, connects to a remote server by using more than 100 domains and elevates its privileges, which is quite uncommon ransomware-type viruses.

In some cases, the virus might also uninstall security applications, complicating REvil ransomware removal. Additionally, the sophisticated threat uses a relatively old Heaven's Gate technique,[5] which allows a 64-based code to be executed in a 32-bit environment, consequently preventing its detection entirely.

Security researchers believe that this is not the end, and REvil, otherwise known as Sodinokibi, will continue to adopt new techniques to evade the detection, infect more victims and acquire maximum profits from the illegal business run by organized cybercrime groups.

REvil ransomware encrypted files
Once REvil completes the infected system modification, it starts the encryption process that prevents victims from using the files and appends a random extension

CIS countries excluded from REvil ransomware campaigns, just as GandCrab was

REvil ransomware uses a predetermined list of countries that are excluded from the infection targets. That means that users whose keyboards are set to Armenian, Belarusian, Kazakh, Moldovian, Russian, Kyrgyz, Tajik, Turkmen, Ukrainian and Uzbek, are immune to the infection – as soon as REvil detects these languages, it exits the system without causing any harm.

All the mentioned countries are a part of CIS – Commonwealth of Independent States and are often excluded from various ransomware campaigns. This is because REvil ransomware authors most likely reside in those countries and do not want to attract too much attention from local authorities, making the operation of the threat so much easier and safer.

An interesting fact is that Syria is also excluded, even though it is not a part of CIS. This unusual step was also taken on by GandCrab developers when they released the keys for victims from a war-ridden country back in October 2018. This cost the makers of malware quite a sum, as Bitdefender released a free decryptor shorty after. Nevertheless, the newer version was launched soon after, and victims were unable to decrypt the data again.

REvil ransom notes

Brian Krebs, one of the well-known malware analysts, believes that REvil is just a rebranded GandCrab, following up with this statement:[6]

My guess is the GandCrab team has not retired, and has simply regrouped and re-branded due to the significant amount of attention from security researchers and law enforcement investigators. It seems highly unlikely that such a successful group of cybercriminals would just walk away from such an insanely profitable enterprise.

Protect yourself against ransomware – use comprehensive malware prevention methods

Most of the regular users are convinced that they are safe as long as they have anti-malware software installed on their machines, and, while it one of the most important malware prevention methods, it is by far not enough. As described above, Sodinokibi developers use Ransomware-as-a-service scheme, which allows multiple different hacking groups or individuals to participate in the campaign, making it so much more prevalent and widespread.

The malware is sophisticated enough to use code injections that bypass anti-malware tools. For that reason, using security software only and believing that you are safe is merely silly. For the future, experts from viruset.no[7] advise using the following malware prevention techniques:

  • Make sure you update the installed software along with the operating system as soon as new patches are released. Software vulnerabilities are common between sophisticated malware families, so viruses that are proliferated in such method are usually advanced and con result in severe consequences (i.e., data loss, money loss, sensitive information disclosure to cybercriminals, etc.);
  • Use ad-blockers. While these tools can prevent monetization for a variety of websites, such tools would guarantee that an ad will not insert a drive-by download that would consequently install the malicious payload automatically. However, we recommend making exclusions for sites you want to support;
  • Equip your accounts with two-factor authentication. No matter what techniques hackers would come up with, tho-factor authentication would almost always prevent the unauthorized access to all your accounts;
  • Be careful when using Remote Desktop – never use a default port, and protect it with adequate and a complicated password;
  • NEVER re-use passwords;
  • Be more careful overall: do not click on phishing links on social media like Facebook Messenger, avoid suspicious sites, do not download software from unknown sources, do not pirate, etc.;
  • Backup your data on a regular basis – this would negate the most damaging consequence of a ransomware infection.

You must terminate REvil ransomware from your computer before you attempt to recover your files

To many users, getting their files encrypted might one of the most terrible things that can happen, whether it is the days spent on working documents or precious family photos that cannot be recreated. Unfortunately, REvil decryption tool does not exist yet, as the threat is relatively new, and researchers require time to break a sophisticated code.

If you were thinking about whether you should pay the ransom, we advise you not to. Of course, REvil virus authors setting the 5-day timer is just a trick used to make users to pay the money as soon as possible. However, please rethink the consequences: the transferred Bitcoins would confirm that the illegal business works, so it will prompt hackers to continue. More importantly, you might not even get a working tool in return or receive one that does not work. Remember, they do not owe you anything, as criminals do not care about the well-being of their victims.

Therefore, you should rather remove REvil ransomware virus from your computer and then use alternative file recovery methods. Be aware that the malware strain is sophisticated and might disable anti-malware tools, or bypass their detection.

REvil virus detection
REvil is recognized by the majority of AV scanners

For that reason, you should enter Safe Mode with Networking – this environment is ideal for tackling problems related to the Windows OS, as well as eliminating even the most dangerous malware. From there, you should use anti-malware software such as Reimage, SpyHunter 5Combo Cleaner or another tool to terminate REvil ransomware and repair the virus damage. We explain how to do that below, so please follow the instructions carefully.

Once you perform a full REvil ransomware removal, you can attempt file recovery. If you had backups on an external drive such a Flash stick or backups on a virtual server, you could copy your files. If you did not have backups prepared, you should check our alternative solutions below. If that does not work, you will have to wait till the official REvil ransomware decryptor is released.

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with SpyHunter 5.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove REvil virus, follow these steps:

Remove REvil using Safe Mode with Networking

REvil or Sodinokibi ransomware is known to use sophisticated evasion methods and even disable anti-malware software. To prevent that, access Safe Mode with Networking to temporarily disable malware functionality:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove REvil

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete REvil removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove REvil using System Restore

System Restore can also be used to get rid of the virus (be aware that some ransomware variants might disable this feature):

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of REvil. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that REvil removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove REvil from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

Malware authors ask for a significant amount of money for the decryption tool. Be aware that after paying criminals, you might never receive it, however, and lose not only your files but also the paid Bitcoins. Therefore, rather do not risk it and employ these methods that might help you retrieve at least some of your data:

If your files are encrypted by REvil, you can use several methods to restore them:

Data Recovery Pro might be successful when trying to restore data encrypted by REvil

While there is no guarantee that Data Recovery Pro will help you at all, there is a change of restoring at least some of your files. Please follow these steps:

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by REvil ransomware;
  • Restore them.

Make use of Windows Previous versions feature

Windows Previous Versions feature is a relatively simple tool to use but is only available if System Restore feature enabled prior to the malware attack. Additionally, this method would allow you to restore files one-by-one so that a full recovery might be impossible.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

In some cases, ShadowExplorer is the answer

ShadowExplorer would work if REvil failed to delete Shadow Volume Copies/

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

REvil decryptor is currently unavailable

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from REvil and other ransomwares, use a reputable anti-spyware, such as Reimage, SpyHunter 5Combo Cleaner or Malwarebytes

About the author

Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

References


Your opinion regarding REvil ransomware