Revix Linux Ransomware
By Key ContactsAnkura ConsultingEmail Ankura Consulting
Archived: 2026-04-06 00:47:51 UTC
In the first half of 2021, we started to see the REvil ransomware operators pivot to targeting Linux-based systems
with a new Linux version of their ransomware, similar to the malware they commonly used on Windows systems.
Since then, there have been a few versions of this Linux-based malware.
In this post, we look at the latest version of their Linux-based ransomware “1.2a”.
Quick Snapshot:
The malicious file is a Linux executable
Class: ELF64
Type: Dynamically Linked
Machine: X86-64
Number of section headers: 28
Entry Point: 0x401650
callq: __libc_start_main@plt
MD5: c83df66c46bcbc05cd987661882ff061
Yara Rules: 
Introduction
The execution of this malware is straightforward. It traverses through the directories specified as targets and
encrypts the files present in those directories. Once encryption is complete, it drops a ransom note in the directory
with the usual ransom message and instructions on paying the threat actor to get the decryption key.
https://angle.ankura.com/post/102hcny/revix-linux-ransomware
Page 1 of 15

This variant of Revix requires a couple of parameters to be passed to execute successfully. It also requires
escalated privileges to run and encrypt files on the disk successfully. Additionally, the malware checks the files in
the target directories to see if they are already encrypted.
One of the main targets for this malware is VMware ESX platform’s, which we’ve seen before in a different Linux
ransomware from DarkSide.
Analysis
For this post, we analyzed Revix both statically and dynamically. Both methodologies have been used together
throughout the analysis process presented below.
Let’s take a quick look at a couple of sections of this executable so that we have the offsets to some of the initial
calls that can be used for further analysis.
Figure 1: Header Information
Section .init:
This section holds executable instructions that need to be executed before the main program entry point.
Figure 2: section
Section .text:
This section contains executable code.
https://angle.ankura.com/post/102hcny/revix-linux-ransomware
Page 2 of 15

Figure 3: section
Functions
Revix loads several functions upon initialization. Following are some of the more interesting functions we can
extract useful information from, to understand the flow of execution, along with developing threat detections that
we’ve provided at the end of this post.
We execute the malware while attached to a debugger and break at the main function to view these functions
presented below. Once we hit the main function, we follow the jump to ‘puts’ function to look at the CPU at that
location. We can see all the loaded functions at this point.
Figure 4: Malware functions loaded upon initialization
Figure 5: Function sequence during execution
https://angle.ankura.com/post/102hcny/revix-linux-ransomware
Page 3 of 15

Initialization
Let’s take a quick look at the program initialization:
The malware requires to be run with a couple of command-line arguments. We can see these being passed through
the stack in the image below/
Figure 6: Parameters for the command-line arguments
The image below shows another view from the CPU that shows the program execution in flight.
Figure 7: Program execution in flight
Figure 8: Stack view
Execution
When executed as a non-privileged user, the malware is not able to achieve full execution.
As shown in the image below, the malware has been provided with the directory ‘here/’ for this analysis.
Figure 9: Write execution on dir
The malware tries to access the data in this directory for read/write and is unsuccessful, as shown below.
Figure 10: getdent64 unsuccessful
The malware also tries to encrypt a test file that we used in our analysis, but the encryption process fails as that
action requires higher privileges.
https://angle.ankura.com/post/102hcny/revix-linux-ransomware
Page 4 of 15

Figure 11: Encryption unsuccessful
As a result, the execution fails to achieve the desired outcome for the malware, as shown below.
Figure 12: Encryption failed
Another point of interest from this failed execution is that the malware attempted to execute a esxcli command but
this action fails as there is no esxcli on our test machine.
Figure 13: esxcli not found
When we execute Revix with elevated privileges, we start to see more successful activity from the malware.
Firstly, Revix can access the data in the target directory.
Figure 14: getdents64 successful
We can see in the image above, the system call ‘getdents’. This system call returns directory entries for the
directory it’s run against.
Figure 15: getdents64(2) Synopsis
In this case, there are three entries as we can see from the result shown in the image above.
Next, we can see that Revix is able to perform read/write functions on the data in the target directories, resulting in
successful encryption of files.
https://angle.ankura.com/post/102hcny/revix-linux-ransomware
Page 5 of 15

Figure 16: Encryption successful
The Revix output below shows that it can write the ransom note text file to the victim’s disk.
Figure 17: Ransom note write successful
Finally, we can see that the execution is completed successfully, resulting in the data present in the target directory
being encrypted:
Figure 18: Execution complete
The file we provided in the target directory is now encrypted, and a ransom note is created in the same directory:
Figure 19: Execution complete, file encrypted
The malware also checks if the data in the target directory is already encrypted. To demonstrate this, we ran Revix
against the same target directory one more time.
Upon execution, Revix runs a check on the data present in the target directory and identifies it to be already
encrypted:
Figure 20: Encryption check performed
As a result, the execution ends up with no data being encrypted.
https://angle.ankura.com/post/102hcny/revix-linux-ransomware
Page 6 of 15

Figure 21: Execution complete
VMware ESX Targeting
Revix also tries to use esxcli, the command line interface for VMware’s ESX platform.
Let’s take a quick look at the parameters passed to esxcli by Revix when it executes:
esxcli –formatter=csv –format-param=fields==”WorldID,DisplayName” vm process list | awk -F “”*,”*”
‘{system(“esxcli vm process kill –type=force –world-id=” $1)}’
vm process list
List the virtual machines on this system. This command currently will only list running VMs on the system.
vm process kill
Used to forcibly kill Virtual Machines that are stuck and not responding to normal stop operations.
–type
There are three types of VM kills that can be attempted: [soft, hard, force].
–world-id | -w
The World ID of the Virtual Machine to kill. This can be obtained from the ‘vm process list’ command (required)
Essentially, these ESX command-line arguments are shutting down all virtual machines running on the ESX
platform.
Revix attempts to target the ‘/vmfs’ directory and encrypt all the data present in that directory, so all the virtual
machines are rendered inoperable until the data is decrypted. This targeting is similar to that seen in DarkSide’s
Linux variant.
Command-line Arguments
The malware requires the following parameters to be passed for its execution to begin:
elf.exe –path /vmfs/ –threads 5
https://angle.ankura.com/post/102hcny/revix-linux-ransomware
Page 7 of 15

It also allows the ‘–silent’ option that executes the malware without stopping any VMs
–silent (-s) use for not stoping VMs mode *
Parameter Purpose
–path Specifies the path of the data that needs to be encrypted
–threads Specifies the number of threads, by default the malware uses 50 threads
–silent Executes the malware without stopping the VMs running on ESX
Configuration
The configuration of Revix is similar to that of its Windows variant, only with fewer fields.
Field Description
pk Public Key
pid ID
Sub Tag
Dbg Debug mode
nbody Base64-encoded body of the ransom-note
nname Filename of the ransom-note
rdmcnt Readme Count
https://angle.ankura.com/post/102hcny/revix-linux-ransomware
Page 8 of 15

ext File extension of the encrypted files
Here’s an image showing the configuration we were able to extract from the sample we analysed:
Figure 22: Configuration
Profiling
Revix also gathers information about the victim machine by running the “uname” command:
uname -a && echo ” | ” && hostname
Figure 23: System profiling
The results of the above command appear in the stack:
Figure 24: Stack view of system profiling in action
The info is then passed through the registers:
https://angle.ankura.com/post/102hcny/revix-linux-ransomware
Page 9 of 15

Figure 25: Register view od system profiling in action
And the end-result is created in the form of this configuration with the victim information:
Figure 26: System profiling complete
Encryption
The malware uses Salsa20 encryption algorithm, just like its Windows variant, to encrypt the data. Here is the
pseudocode for the function that implements this encryption:
Figure 27: Pseudo-code for the encryption algorithm
https://angle.ankura.com/post/102hcny/revix-linux-ransomware
Page 10 of 15

Mitigation
Detections
Commands
Revix runs this command to determine machine info:
uname -a && echo ” | ” && hostname
Revix tries to query this directory:
/dev/urandom
Revix runs the below command to stop VMs running on the ESX platform in order to encrypt the data on those
VMs:
esxcli –formatter=csv –format-param=fields==”WorldID,DisplayName” vm process list | awk -F “”*,”*”
‘{system(“esxcli vm process kill –type=force –world-id=” $1)}’
Typos:
In some instances, typos that malware authors commit to the code are useful in detecting specific malware or
similar code used in other malware families. Below are some of the typos we found in this variant of Revix:
–silent (-s) use for not stoping VMs mode
semms to be protected by os but let’s encrypt anyway…
YARA Ruleset 1
rule Revix {
   meta:
description = “Detects REvil Linux – Revix 1.1 and 1.2”
      author = “Josh Lemon”
      reference = “https://angle.ankura.com/post/102hcny/revix-linux-ransomware”
      date = “2021-11-04”
      version = “1.0”
      hash1 = “f864922f947a6bb7d894245b53795b54b9378c0f7633c521240488e86f60c2c5”
      hash2 = “559e9c0a2ef6898fabaf0a5fb10ac4a0f8d721edde4758351910200fe16b5fa7”
      hash3 = “ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4”
   strings:
      $s1 = “Usage example: elf.exe –path /vmfs/ –threads 5” fullword ascii
https://angle.ankura.com/post/102hcny/revix-linux-ransomware
Page 11 of 15

$s2 = “uname -a && echo ” | ” && hostname” fullword ascii
      $s3 = “esxcli –formatter=csv –format-param=fields==”WorldID,DisplayName” vm process
list” ascii
      $s4 = “awk -F “\”*,\”*” ‘{system(“esxcli” ascii
      $s5 = “–silent (-s) use for not stoping VMs mode” fullword ascii
      $s6 = “!!!BY DEFAULT THIS SOFTWARE USES 50 THREADS!!!” fullword ascii
      $s7 = “%d:%d: Comment not allowed here” fullword ascii
      $s8 = “Error decoding user_id %d ” fullword ascii
      $s9 = “Error read urandm line %d!” fullword ascii
      $s10 = “%d:%d: Unexpected `%c` in comment opening sequence” fullword ascii
      $s11 = “%d:%d: Unexpected EOF in block comment” fullword ascii
      $s12 = “Using silent mode, if you on esxi – stop VMs manualy” fullword ascii
      $s13 = “rand: try to read %hu but get %lu bytes” fullword ascii
      $s14 = “Revix” fullword ascii
      $s15 = “without –path encrypts current dir” fullword ascii
       $e1 = “[%s] already encrypted” fullword ascii
      $e2 = “File [%s] was encrypted” fullword ascii
      $e3 = “File [%s] was NOT encrypted” fullword ascii
      $e4 = “Encrypting [%s]” fullword ascii
   condition:
      uint16(0) == 0x457f and filesize
}
YARA Ruleset 2
/*
author = “Vishal Thakur – malienist.medium.com”
date = “2021-11-15”
version = “1”
description = “Detects Revix-1.2a and earlier versions of Revix”
info = “Generated from information extracted from the malware sample by manual analysis.”
*/
import “pe”
rule revixStatic {
  strings:
https://angle.ankura.com/post/102hcny/revix-linux-ransomware
Page 12 of 15

$header = { 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 02 00 3e 00 01 00 00 00 50 16
40 00 00 00 00 00 }
    $config = { 7B 22 76 65 72 22 3A ?? ?? 2C 22 70 69 64 22 3A 22 ?? ?? 22 2C 22 73 75 62 22
3A 22 ?? ?? 22 2C 22 70 6B 22 3A 22 ?? ?? 22 2C 22 75 69 64 22 3A 22 ?? ?? 22 2C 22 73 6B
22 3A 22 ?? ?? 22 2C 22 6F 73 22 3A 22 ?? ?? 22 2C 22 65 78 74 22 3A 22 ?? ?? 22 7D }
    $uname = { 75 6E 61 6D 65 20 2D 61 20 26 26 20 65 63 68 6F }
  condition:
    all of them and
    filesize
}
rule revixCode {
    strings:
    $err1 = { 45 72 72 6F 72 20 6F 70 65 6E 20 75 72 61 6E 64 6D }
    $err2 = { 45 72 72 6F 72 20 64 65 63 6F 64 69 6E 67 20 6D 61 73 74 65 72 5F 70 6B }
    $err3 = { 66 61 74 61 6C 20 65 72 72 6F 72 2C 6D 61 73 74 65 72 5F 70 6B 20 73 69 7A 65
20 69 73 20 62 61 64 }
    $err4 = { 45 72 72 6F 72 20 64 65 63 6F 64 69 6E 67 20 75 73 65 72 5F 69 64 }
    $err5 = { 45 72 72 6F 72 20 64 65 63 6F 64 69 6E 67 20 6E 6F 74 65 5F 62 6F 64 79 }
    $form1 = { 65 78 70 61 6E 64 20 33 32 2D 62 79 74 65 ?? ?? }
    $form2 = { 65 78 70 61 6E 64 20 31 36 2D 62 79 74 65 ?? ?? }
    $config = { 7B 22 76 65 72 22 3A ?? ?? 2C 22 70 69 64 22 3A 22 ?? ?? 22 2C 22 73 75 62 22
3A 22 ?? ?? 22 2C 22 70 6B 22 3A 22 ?? ?? 22 2C 22 75 69 64 22 3A 22 ?? ?? 22 2C 22 73 6B
22 3A 22 ?? ?? 22 2C 22 6F 73 22 3A 22 ?? ?? 22 2C 22 65 78 74 22 3A 22 ?? ?? 22 7D }
  condition:
    all of them and
    filesize
}
rule revixESX {
https://angle.ankura.com/post/102hcny/revix-linux-ransomware
Page 13 of 15

strings:
    $cmd1 = { 65 73 78 63 6C 69 }
    $cmd2 = { 2D 66 6F 72 6D 61 74 74 65 72 3D ?? ?? ?? }
    $cmd3 = { 2D 2D 66 6F 72 6D 61 74 2D 70 61 72 61 6D }
    $cmd4 = { 76 6D 20 70 72 6F 63 65 73 73 20 6C 69 73 74 }
    $cmd5 = { 65 73 78 63 6C 69 20 76 6D 20 70 72 6F 63 65 73 73 20 6B 69 6C 6C }
    $cmd6 = { 2D 2D 77 6F 72 6C 64 2D 69 64 3D 22 ?? ?? ?? }
    $config = { 7B 22 76 65 72 22 3A ?? ?? 2C 22 70 69 64 22 3A 22 ?? ?? 22 2C 22 73 75 62 22
3A 22 ?? ?? 22 2C 22 70 6B 22 3A 22 ?? ?? 22 2C 22 75 69 64 22 3A 22 ?? ?? 22 2C 22 73 6B
22 3A 22 ?? ?? 22 2C 22 6F 73 22 3A 22 ?? ?? 22 2C 22 65 78 74 22 3A 22 ?? ?? 22 7D }
  condition:
    all of them and
    filesize
}
rule revixPE {
  condition:
    pe.entry_point == 0x401650
}
Conclusion
As we can see in the analysis shown above, the execution of Revix is a bit clunky in this variant. It requires
multiple conditions to be met before the ransomware is successful in encrypting data. 
Revix needs to be executed as a command-line argument with elevated privileges, specified target directories, and
the number of threads. Basically, it’s not a standalone application at this time and is quite noisy as well. 
If Revix is not run with silent mode enabled, it will try to stop any VMWare ESX virtual machines, triggering
incident response processes from the victim. Revix could quite possibly fail to encrypt the virtual machines due to
reduced/restricted access of where they reside on a Linux system.
As new variants for the Revix ransomware are released, we expect the execution to be more efficient, requiring
fewer manual processes from the threat actor.
https://angle.ankura.com/post/102hcny/revix-linux-ransomware
Page 14 of 15

References
ESXi 7.0 U3 ESXCLI Command Reference
DarkSide on Linux: Virtual Machines Targeted – Naiim, M.,2021 
getdents64(2) – Linux man page
Code Analysis details by Intezer Analyse
© Copyright 2021. The views expressed herein are those of the author(s) and not necessarily the views of Ankura
Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a
law firm and cannot provide legal advice.
Source: https://angle.ankura.com/post/102hcny/revix-linux-ransomware
https://angle.ankura.com/post/102hcny/revix-linux-ransomware
Page 15 of 15