{
	"id": "94c64832-eb1c-4ed1-828d-49c3bb4c0053",
	"created_at": "2026-04-06T01:29:27.52356Z",
	"updated_at": "2026-04-10T03:20:36.583613Z",
	"deleted_at": null,
	"sha1_hash": "2e2efdd366768cb5160a89823fea598f965ba933",
	"title": "Revix Linux Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 797065,
	"plain_text": "Revix Linux Ransomware\r\nBy Key ContactsAnkura ConsultingEmail Ankura Consulting\r\nArchived: 2026-04-06 00:47:51 UTC\r\nIn the first half of 2021, we started to see the REvil ransomware operators pivot to targeting Linux-based systems\r\nwith a new Linux version of their ransomware, similar to the malware they commonly used on Windows systems.\r\nSince then, there have been a few versions of this Linux-based malware.\r\nIn this post, we look at the latest version of their Linux-based ransomware “1.2a”.\r\nQuick Snapshot:\r\nThe malicious file is a Linux executable\r\nClass: ELF64\r\nType: Dynamically Linked\r\nMachine: X86-64\r\nNumber of section headers: 28\r\nEntry Point: 0x401650\r\ncallq: __libc_start_main@plt\r\nMD5: c83df66c46bcbc05cd987661882ff061\r\nYara Rules: \r\nIntroduction\r\nThe execution of this malware is straightforward. It traverses through the directories specified as targets and\r\nencrypts the files present in those directories. Once encryption is complete, it drops a ransom note in the directory\r\nwith the usual ransom message and instructions on paying the threat actor to get the decryption key.\r\nhttps://angle.ankura.com/post/102hcny/revix-linux-ransomware\r\nPage 1 of 15\n\nThis variant of Revix requires a couple of parameters to be passed to execute successfully. It also requires\r\nescalated privileges to run and encrypt files on the disk successfully. Additionally, the malware checks the files in\r\nthe target directories to see if they are already encrypted.\r\nOne of the main targets for this malware is VMware ESX platform’s, which we’ve seen before in a different Linux\r\nransomware from DarkSide.\r\nAnalysis\r\nFor this post, we analyzed Revix both statically and dynamically. Both methodologies have been used together\r\nthroughout the analysis process presented below.\r\nLet’s take a quick look at a couple of sections of this executable so that we have the offsets to some of the initial\r\ncalls that can be used for further analysis.\r\nFigure 1: Header Information\r\nSection .init:\r\nThis section holds executable instructions that need to be executed before the main program entry point.\r\nFigure 2: section\r\nSection .text:\r\nThis section contains executable code.\r\nhttps://angle.ankura.com/post/102hcny/revix-linux-ransomware\r\nPage 2 of 15\n\nFigure 3: section\r\nFunctions\r\nRevix loads several functions upon initialization. Following are some of the more interesting functions we can\r\nextract useful information from, to understand the flow of execution, along with developing threat detections that\r\nwe’ve provided at the end of this post.\r\nWe execute the malware while attached to a debugger and break at the main function to view these functions\r\npresented below. Once we hit the main function, we follow the jump to ‘puts’ function to look at the CPU at that\r\nlocation. We can see all the loaded functions at this point.\r\nFigure 4: Malware functions loaded upon initialization\r\nFigure 5: Function sequence during execution\r\nhttps://angle.ankura.com/post/102hcny/revix-linux-ransomware\r\nPage 3 of 15\n\nInitialization\r\nLet’s take a quick look at the program initialization:\r\nThe malware requires to be run with a couple of command-line arguments. We can see these being passed through\r\nthe stack in the image below/\r\nFigure 6: Parameters for the command-line arguments\r\nThe image below shows another view from the CPU that shows the program execution in flight.\r\nFigure 7: Program execution in flight\r\nFigure 8: Stack view\r\nExecution\r\nWhen executed as a non-privileged user, the malware is not able to achieve full execution.\r\nAs shown in the image below, the malware has been provided with the directory ‘here/’ for this analysis.\r\nFigure 9: Write execution on dir\r\nThe malware tries to access the data in this directory for read/write and is unsuccessful, as shown below.\r\nFigure 10: getdent64 unsuccessful\r\nThe malware also tries to encrypt a test file that we used in our analysis, but the encryption process fails as that\r\naction requires higher privileges.\r\nhttps://angle.ankura.com/post/102hcny/revix-linux-ransomware\r\nPage 4 of 15\n\nFigure 11: Encryption unsuccessful\r\nAs a result, the execution fails to achieve the desired outcome for the malware, as shown below.\r\nFigure 12: Encryption failed\r\nAnother point of interest from this failed execution is that the malware attempted to execute a esxcli command but\r\nthis action fails as there is no esxcli on our test machine.\r\nFigure 13: esxcli not found\r\nWhen we execute Revix with elevated privileges, we start to see more successful activity from the malware.\r\nFirstly, Revix can access the data in the target directory.\r\nFigure 14: getdents64 successful\r\nWe can see in the image above, the system call ‘getdents’. This system call returns directory entries for the\r\ndirectory it’s run against.\r\nFigure 15: getdents64(2) Synopsis\r\nIn this case, there are three entries as we can see from the result shown in the image above.\r\nNext, we can see that Revix is able to perform read/write functions on the data in the target directories, resulting in\r\nsuccessful encryption of files.\r\nhttps://angle.ankura.com/post/102hcny/revix-linux-ransomware\r\nPage 5 of 15\n\nFigure 16: Encryption successful\r\nThe Revix output below shows that it can write the ransom note text file to the victim’s disk.\r\nFigure 17: Ransom note write successful\r\nFinally, we can see that the execution is completed successfully, resulting in the data present in the target directory\r\nbeing encrypted:\r\nFigure 18: Execution complete\r\nThe file we provided in the target directory is now encrypted, and a ransom note is created in the same directory:\r\nFigure 19: Execution complete, file encrypted\r\nThe malware also checks if the data in the target directory is already encrypted. To demonstrate this, we ran Revix\r\nagainst the same target directory one more time.\r\nUpon execution, Revix runs a check on the data present in the target directory and identifies it to be already\r\nencrypted:\r\nFigure 20: Encryption check performed\r\nAs a result, the execution ends up with no data being encrypted.\r\nhttps://angle.ankura.com/post/102hcny/revix-linux-ransomware\r\nPage 6 of 15\n\nFigure 21: Execution complete\r\nVMware ESX Targeting\r\nRevix also tries to use esxcli, the command line interface for VMware’s ESX platform.\r\nLet’s take a quick look at the parameters passed to esxcli by Revix when it executes:\r\nesxcli –formatter=csv –format-param=fields==”WorldID,DisplayName” vm process list | awk -F “”*,”*”\r\n‘{system(“esxcli vm process kill –type=force –world-id=” $1)}’\r\nvm process list\r\nList the virtual machines on this system. This command currently will only list running VMs on the system.\r\nvm process kill\r\nUsed to forcibly kill Virtual Machines that are stuck and not responding to normal stop operations.\r\n–type\r\nThere are three types of VM kills that can be attempted: [soft, hard, force].\r\n–world-id | -w\r\nThe World ID of the Virtual Machine to kill. This can be obtained from the ‘vm process list’ command (required)\r\nEssentially, these ESX command-line arguments are shutting down all virtual machines running on the ESX\r\nplatform.\r\nRevix attempts to target the ‘/vmfs’ directory and encrypt all the data present in that directory, so all the virtual\r\nmachines are rendered inoperable until the data is decrypted. This targeting is similar to that seen in DarkSide’s\r\nLinux variant.\r\nCommand-line Arguments\r\nThe malware requires the following parameters to be passed for its execution to begin:\r\nelf.exe –path /vmfs/ –threads 5\r\nhttps://angle.ankura.com/post/102hcny/revix-linux-ransomware\r\nPage 7 of 15\n\nIt also allows the ‘–silent’ option that executes the malware without stopping any VMs\r\n–silent (-s) use for not stoping VMs mode *\r\nParameter Purpose\r\n–path Specifies the path of the data that needs to be encrypted\r\n–threads Specifies the number of threads, by default the malware uses 50 threads\r\n–silent Executes the malware without stopping the VMs running on ESX\r\nConfiguration\r\nThe configuration of Revix is similar to that of its Windows variant, only with fewer fields.\r\nField Description\r\npk Public Key\r\npid ID\r\nSub Tag\r\nDbg Debug mode\r\nnbody Base64-encoded body of the ransom-note\r\nnname Filename of the ransom-note\r\nrdmcnt Readme Count\r\nhttps://angle.ankura.com/post/102hcny/revix-linux-ransomware\r\nPage 8 of 15\n\next File extension of the encrypted files\r\nHere’s an image showing the configuration we were able to extract from the sample we analysed:\r\nFigure 22: Configuration\r\nProfiling\r\nRevix also gathers information about the victim machine by running the “uname” command:\r\nuname -a \u0026\u0026 echo ” | ” \u0026\u0026 hostname\r\nFigure 23: System profiling\r\nThe results of the above command appear in the stack:\r\nFigure 24: Stack view of system profiling in action\r\nThe info is then passed through the registers:\r\nhttps://angle.ankura.com/post/102hcny/revix-linux-ransomware\r\nPage 9 of 15\n\nFigure 25: Register view od system profiling in action\r\nAnd the end-result is created in the form of this configuration with the victim information:\r\nFigure 26: System profiling complete\r\nEncryption\r\nThe malware uses Salsa20 encryption algorithm, just like its Windows variant, to encrypt the data. Here is the\r\npseudocode for the function that implements this encryption:\r\nFigure 27: Pseudo-code for the encryption algorithm\r\nhttps://angle.ankura.com/post/102hcny/revix-linux-ransomware\r\nPage 10 of 15\n\nMitigation\r\nDetections\r\nCommands\r\nRevix runs this command to determine machine info:\r\nuname -a \u0026\u0026 echo ” | ” \u0026\u0026 hostname\r\nRevix tries to query this directory:\r\n/dev/urandom\r\nRevix runs the below command to stop VMs running on the ESX platform in order to encrypt the data on those\r\nVMs:\r\nesxcli –formatter=csv –format-param=fields==”WorldID,DisplayName” vm process list | awk -F “”*,”*”\r\n‘{system(“esxcli vm process kill –type=force –world-id=” $1)}’\r\nTypos:\r\nIn some instances, typos that malware authors commit to the code are useful in detecting specific malware or\r\nsimilar code used in other malware families. Below are some of the typos we found in this variant of Revix:\r\n–silent (-s) use for not stoping VMs mode\r\nsemms to be protected by os but let’s encrypt anyway…\r\nYARA Ruleset 1\r\nrule Revix {\r\n   meta:\r\ndescription = “Detects REvil Linux – Revix 1.1 and 1.2”\r\n      author = “Josh Lemon”\r\n      reference = “https://angle.ankura.com/post/102hcny/revix-linux-ransomware”\r\n      date = “2021-11-04”\r\n      version = “1.0”\r\n      hash1 = “f864922f947a6bb7d894245b53795b54b9378c0f7633c521240488e86f60c2c5”\r\n      hash2 = “559e9c0a2ef6898fabaf0a5fb10ac4a0f8d721edde4758351910200fe16b5fa7”\r\n      hash3 = “ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4”\r\n   strings:\r\n      $s1 = “Usage example: elf.exe –path /vmfs/ –threads 5” fullword ascii\r\nhttps://angle.ankura.com/post/102hcny/revix-linux-ransomware\r\nPage 11 of 15\n\n$s2 = “uname -a \u0026\u0026 echo ” | ” \u0026\u0026 hostname” fullword ascii\r\n      $s3 = “esxcli –formatter=csv –format-param=fields==”WorldID,DisplayName” vm process\r\nlist” ascii\r\n      $s4 = “awk -F “\\”*,\\”*” ‘{system(“esxcli” ascii\r\n      $s5 = “–silent (-s) use for not stoping VMs mode” fullword ascii\r\n      $s6 = “!!!BY DEFAULT THIS SOFTWARE USES 50 THREADS!!!” fullword ascii\r\n      $s7 = “%d:%d: Comment not allowed here” fullword ascii\r\n      $s8 = “Error decoding user_id %d ” fullword ascii\r\n      $s9 = “Error read urandm line %d!” fullword ascii\r\n      $s10 = “%d:%d: Unexpected `%c` in comment opening sequence” fullword ascii\r\n      $s11 = “%d:%d: Unexpected EOF in block comment” fullword ascii\r\n      $s12 = “Using silent mode, if you on esxi – stop VMs manualy” fullword ascii\r\n      $s13 = “rand: try to read %hu but get %lu bytes” fullword ascii\r\n      $s14 = “Revix” fullword ascii\r\n      $s15 = “without –path encrypts current dir” fullword ascii\r\n       $e1 = “[%s] already encrypted” fullword ascii\r\n      $e2 = “File [%s] was encrypted” fullword ascii\r\n      $e3 = “File [%s] was NOT encrypted” fullword ascii\r\n      $e4 = “Encrypting [%s]” fullword ascii\r\n   condition:\r\n      uint16(0) == 0x457f and filesize\r\n}\r\nYARA Ruleset 2\r\n/*\r\nauthor = “Vishal Thakur – malienist.medium.com”\r\ndate = “2021-11-15”\r\nversion = “1”\r\ndescription = “Detects Revix-1.2a and earlier versions of Revix”\r\ninfo = “Generated from information extracted from the malware sample by manual analysis.”\r\n*/\r\nimport “pe”\r\nrule revixStatic {\r\n  strings:\r\nhttps://angle.ankura.com/post/102hcny/revix-linux-ransomware\r\nPage 12 of 15\n\n$header = { 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 02 00 3e 00 01 00 00 00 50 16\r\n40 00 00 00 00 00 }\r\n    $config = { 7B 22 76 65 72 22 3A ?? ?? 2C 22 70 69 64 22 3A 22 ?? ?? 22 2C 22 73 75 62 22\r\n3A 22 ?? ?? 22 2C 22 70 6B 22 3A 22 ?? ?? 22 2C 22 75 69 64 22 3A 22 ?? ?? 22 2C 22 73 6B\r\n22 3A 22 ?? ?? 22 2C 22 6F 73 22 3A 22 ?? ?? 22 2C 22 65 78 74 22 3A 22 ?? ?? 22 7D }\r\n    $uname = { 75 6E 61 6D 65 20 2D 61 20 26 26 20 65 63 68 6F }\r\n  condition:\r\n    all of them and\r\n    filesize\r\n}\r\nrule revixCode {\r\n    strings:\r\n    $err1 = { 45 72 72 6F 72 20 6F 70 65 6E 20 75 72 61 6E 64 6D }\r\n    $err2 = { 45 72 72 6F 72 20 64 65 63 6F 64 69 6E 67 20 6D 61 73 74 65 72 5F 70 6B }\r\n    $err3 = { 66 61 74 61 6C 20 65 72 72 6F 72 2C 6D 61 73 74 65 72 5F 70 6B 20 73 69 7A 65\r\n20 69 73 20 62 61 64 }\r\n    $err4 = { 45 72 72 6F 72 20 64 65 63 6F 64 69 6E 67 20 75 73 65 72 5F 69 64 }\r\n    $err5 = { 45 72 72 6F 72 20 64 65 63 6F 64 69 6E 67 20 6E 6F 74 65 5F 62 6F 64 79 }\r\n    $form1 = { 65 78 70 61 6E 64 20 33 32 2D 62 79 74 65 ?? ?? }\r\n    $form2 = { 65 78 70 61 6E 64 20 31 36 2D 62 79 74 65 ?? ?? }\r\n    $config = { 7B 22 76 65 72 22 3A ?? ?? 2C 22 70 69 64 22 3A 22 ?? ?? 22 2C 22 73 75 62 22\r\n3A 22 ?? ?? 22 2C 22 70 6B 22 3A 22 ?? ?? 22 2C 22 75 69 64 22 3A 22 ?? ?? 22 2C 22 73 6B\r\n22 3A 22 ?? ?? 22 2C 22 6F 73 22 3A 22 ?? ?? 22 2C 22 65 78 74 22 3A 22 ?? ?? 22 7D }\r\n  condition:\r\n    all of them and\r\n    filesize\r\n}\r\nrule revixESX {\r\nhttps://angle.ankura.com/post/102hcny/revix-linux-ransomware\r\nPage 13 of 15\n\nstrings:\r\n    $cmd1 = { 65 73 78 63 6C 69 }\r\n    $cmd2 = { 2D 66 6F 72 6D 61 74 74 65 72 3D ?? ?? ?? }\r\n    $cmd3 = { 2D 2D 66 6F 72 6D 61 74 2D 70 61 72 61 6D }\r\n    $cmd4 = { 76 6D 20 70 72 6F 63 65 73 73 20 6C 69 73 74 }\r\n    $cmd5 = { 65 73 78 63 6C 69 20 76 6D 20 70 72 6F 63 65 73 73 20 6B 69 6C 6C }\r\n    $cmd6 = { 2D 2D 77 6F 72 6C 64 2D 69 64 3D 22 ?? ?? ?? }\r\n    $config = { 7B 22 76 65 72 22 3A ?? ?? 2C 22 70 69 64 22 3A 22 ?? ?? 22 2C 22 73 75 62 22\r\n3A 22 ?? ?? 22 2C 22 70 6B 22 3A 22 ?? ?? 22 2C 22 75 69 64 22 3A 22 ?? ?? 22 2C 22 73 6B\r\n22 3A 22 ?? ?? 22 2C 22 6F 73 22 3A 22 ?? ?? 22 2C 22 65 78 74 22 3A 22 ?? ?? 22 7D }\r\n  condition:\r\n    all of them and\r\n    filesize\r\n}\r\nrule revixPE {\r\n  condition:\r\n    pe.entry_point == 0x401650\r\n}\r\nConclusion\r\nAs we can see in the analysis shown above, the execution of Revix is a bit clunky in this variant. It requires\r\nmultiple conditions to be met before the ransomware is successful in encrypting data. \r\nRevix needs to be executed as a command-line argument with elevated privileges, specified target directories, and\r\nthe number of threads. Basically, it’s not a standalone application at this time and is quite noisy as well. \r\nIf Revix is not run with silent mode enabled, it will try to stop any VMWare ESX virtual machines, triggering\r\nincident response processes from the victim. Revix could quite possibly fail to encrypt the virtual machines due to\r\nreduced/restricted access of where they reside on a Linux system.\r\nAs new variants for the Revix ransomware are released, we expect the execution to be more efficient, requiring\r\nfewer manual processes from the threat actor.\r\nhttps://angle.ankura.com/post/102hcny/revix-linux-ransomware\r\nPage 14 of 15\n\nReferences\r\nESXi 7.0 U3 ESXCLI Command Reference\r\nDarkSide on Linux: Virtual Machines Targeted – Naiim, M.,2021 \r\ngetdents64(2) – Linux man page\r\nCode Analysis details by Intezer Analyse\r\n© Copyright 2021. The views expressed herein are those of the author(s) and not necessarily the views of Ankura\r\nConsulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a\r\nlaw firm and cannot provide legal advice.\r\nSource: https://angle.ankura.com/post/102hcny/revix-linux-ransomware\r\nhttps://angle.ankura.com/post/102hcny/revix-linux-ransomware\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://angle.ankura.com/post/102hcny/revix-linux-ransomware"
	],
	"report_names": [
		"revix-linux-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775438967,
	"ts_updated_at": 1775791236,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2e2efdd366768cb5160a89823fea598f965ba933.pdf",
		"text": "https://archive.orkl.eu/2e2efdd366768cb5160a89823fea598f965ba933.txt",
		"img": "https://archive.orkl.eu/2e2efdd366768cb5160a89823fea598f965ba933.jpg"
	}
}