{
	"id": "2a71b824-ccf6-41aa-abc5-0ecdc43347c6",
	"created_at": "2026-04-06T00:18:26.494459Z",
	"updated_at": "2026-04-10T03:20:56.352108Z",
	"deleted_at": null,
	"sha1_hash": "4886719b2cb8644076725de9ddc7393d65c97124",
	"title": "REvil Ransomware Threat Research Update and Detections | Splunk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 10948318,
	"plain_text": "REvil Ransomware Threat Research Update and Detections |\r\nSplunk\r\nBy Splunk Threat Research Team\r\nPublished: 2021-07-06 · Archived: 2026-04-05 12:42:51 UTC\r\nOn July 2, 2021, rumors of a \"supply-chain ransomware\" attack began circulating on Reddit and was later\r\nconfirmed by Kaseya VSA, a remote monitoring management software. Kaseya shared in an open statement that\r\nthis cyber attack was carried out by a ransomware criminal group called REvil, where they used Kaseya to\r\ndistribute ransomware to its on-premises customers. On July 5, 2021, our team at Splunk pushed out a rapid\r\nresponse blog to help organizations detect REvil Ransomware Kaseya in Splunk. While Splunk was not\r\nimpacted by the ransomware attack, as a security leader we want to help the industry by providing tools,\r\nguidance and support.\r\nToday, we’re here to provide more insights and research around this ransomware organization, in hopes to help\r\nbusinesses around the world understand the group and their tactics.\r\nIntroduction to REvil\r\nThe REvil payload (Ransomware Evil or also known as Sodinokibi) is ransomware as a service criminal\r\nenterprise. REvil is said to be related to the criminal group known as GandCrab. In a Ransomware as a service\r\nscheme, malicious actors partner with affiliates to extend their botnets and reap profits from new additions and\r\nattacks brought to them by affiliates. The profit is shared with affiliates which encourages them to infect more\r\nvictims.\r\nThe REvil payload is associated with some of the following attack vectors:\r\nElliptic curve cryptography (ECC) for file encryption (files, shares)\r\nWindows Remote Desktop (RDP) brute force entry\r\nDouble extortion threat\r\nTarget VPN devices\r\nPhishing emails\r\nAffiliates may choose different attack vectors including specific software exploitation\r\nUnderstanding How REvil Ransomware is Executed in a Simulation\r\nThe following images show REvil ransomware execution replicated via Splunk Attack Range. First, we can see\r\nthe ransom note indicating the site located on the dark web where the victim needs to go for further information.\r\nhttps://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html\r\nPage 1 of 18\n\nThe ransomware payload does not disable the systems completely, even though the documents are indeed\r\nencrypted, the system is left with enough capacity to download the TOR browser program and install it. Once a\r\nvictim browses to the named site via TOR browser, they find a form where the key found in the ransom note is\r\nmeant to be entered. Notice there is a captcha in this form.\r\nhttps://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html\r\nPage 2 of 18\n\nAfter entering the key the victim is presented with a page with instructions on the steps to follow to be able to\r\ndecrypt the files.\r\nhttps://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html\r\nPage 3 of 18\n\nIn the following capture, the Monero (XMR) address where victims are supposed to send payment can be seen.\r\nhttps://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html\r\nPage 4 of 18\n\nThe next capture shows the Dark Web page where the REvil ransomware gang advertises the information they\r\nclaim they obtained from victims that did not pay the ransom.\r\nhttps://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html\r\nPage 5 of 18\n\nREvil Command-line Arguments\r\nREvil Ransomware also has several command line parameters to dictate its behavior or features it wants to\r\nexecute.\r\nREvil Configuration JSON File\r\nhttps://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html\r\nPage 6 of 18\n\nREvil uses RC4 encryption/decryption algorithm to decrypt its notable strings and its configuration file. REvil\r\ndoes this by parsing the 0x20 bytes RC4 key placed in one of its sections and verifying the checksum hash of the\r\nencrypted config file in its code body. This configuration file (JSON format) contains information and conditions\r\non how it will encrypt the files in the compromised machine.\r\nBelow is the screenshot and description of the notable field in that configuration file.\r\nKill Switch for REvil Ransomware\r\nThis ransomware also has a kill switch. It tries to avoid compromising a machine with a specific keyboard layout\r\nand languages like (Russian, Ukrainian, Belarusian, and many more) as shown in the screenshot below.\r\nhttps://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html\r\nPage 7 of 18\n\nPrivilege Escalation\r\nREvil Ransomware will try to run itself using “runas” command to have a privilege escalation of execution.\r\nPersistence\r\nhttps://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html\r\nPage 8 of 18\n\nIf the “arn” field in its configuration file is enabled, it will create an autorun registry on the compromised machine\r\nas a persistence mechanism.\r\nDefacement\r\nAside from the ransomware notes, it will generate in several folders in the compromised machine, it will also\r\ncreate a bitmap containing a note that the machine is also infected.\r\nCOM Object\r\nThe Splunk Threat Research team also found some function in REvil ransomware where it uses com object\r\nIWbemClassObject “4590f811-1d3a-11d0-891f-00aa004b2e24” and “49BD2028-1523-11D1-AD79-\r\n00C04FD8FDFF” to execute root/cimv2 namespace or privilege escalation.\r\nhttps://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html\r\nPage 9 of 18\n\nOther Registry Entry\r\nREvil is known to have a randomly generated file extension (5-10 characters) that will be used for its ransomware\r\nnotes filename and for the files it encrypts. This randomly generated string will also save in a unique registry key.\r\nIn this case, the randomly generated file extension is “.teu459110”\r\nMachine Info\r\nREvil ransomware will also gather some information about the compromised machine like the computer name,\r\nuser name, language used by the machine, product name, operating system, network group, OS version, and file\r\nextension it generates for the encrypted files. Below is the example of the information in json format.\r\nDefense Evasion\r\nhttps://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html\r\nPage 10 of 18\n\nIt will also execute a base 64 encoded PowerShell script command that will delete the shadow copy of the\r\ncompromised machine.\r\nBase 64 encoded:\r\npowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIAR\r\nBase 64 decoded:\r\nGet-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}\r\nDetect REvil Ransomware with Splunk\r\nREvil Registry Entry (New)\r\n| tstats `security_content_summariesonly` count values(Registry.registry_key_name)\r\n as registry_key_name values(Registry.registry_path) as registry_path min(_time)\r\n as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where\r\n(Registry.registry_path=\"*\\\\SOFTWARE\\\\WOW6432Node\\\\Facebook_Assistant\\\\*\" OR Registry.registry_path=\"*\\\\SOFTWARE\r\n AND (Registry.registry_value_name = \"\\.*\" OR Registry.registry_value_name = \"Binary\r\n Data\") by Registry.registry_value_name Registry.dest Registry.user\r\n| `security_content_ctime(lastTime)`\r\n| `security_content_ctime(firstTime)`\r\n| `drop_dm_object_name(Registry)`\r\nhttps://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html\r\nPage 11 of 18\n\nREvil Common Exec Parameter (New)\r\n| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes\r\n where Processes.process = \"*-nolan*\" OR Processes.process = \"*-nolocal*\"\r\nOR Processes.process = \"*-fast*\" OR Processes.process = \"*-full*\"\r\n by Processes.process_name Processes.process Processes.parent_process_name\r\nProcesses.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid\r\nModification Of Wallpaper (New)\r\nsourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR\r\nsource=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational\r\nhttps://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html\r\nPage 12 of 18\n\nEventCode =13 (TargetObject= \"*\\\\Control Panel\\\\Desktop\\\\Wallpaper\" AND Image != \"*\\\\explorer.exe\")\r\n OR (TargetObject= \"*\\\\Control Panel\\\\Desktop\\\\Wallpaper\" AND Details = \"*\\\\temp\\\\*\")\r\n | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Image TargetObject Details Compute\r\nWbemprox COM Object Execution (New)\r\nsourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR\r\nsource=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational\r\n EventCode=7 ImageLoaded IN (\"*\\\\fastprox.dll\", \"*\\\\wbemprox.dll\", \"*\\\\wbemcomn.dll\")\r\n NOT (process_name IN (\"wmiprvse.exe\", \"WmiApSrv.exe\", \"unsecapp.exe\")) NOT(Image IN(\"*\\\\windows\\\\*\",\"*\\\\progr\r\n | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer Event\r\nhttps://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html\r\nPage 13 of 18\n\nKnown Services Killed by Ransomware (New)\r\nSourcetype=WinEventLog:System EventCode=7036 Message IN\r\n(\"*VSS*\", \"*backup*\", \"*sophos*\", \"*sql*\", \"*memtas*\", \"*mepocs*\", \"*veeam*\", \"*svc$*\")\r\n Message=\"*service entered the stopped state*\"\r\n | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message dest Type\r\nAllow network Discovery In Firewall (New)\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)\r\n as lastTime from datamodel=Endpoint.Processes where Processes.process_name=netsh.exe\r\n Processes.process= \"*firewall*\" Processes.process= \"*group=\\\"Network Discovery\\\"*\" Processes.process=\"*enabl\r\nhttps://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html\r\nPage 14 of 18\n\nby Processes.dest Processes.user Processes.parent_process Processes.process_name\r\n Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name\r\n | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`\r\nDisable Windows Behavior Monitoring (Updated)\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)\r\n as lastTime from datamodel=Endpoint.Registry where\r\n Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBeh\r\n Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableOnA\r\n Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableSca\r\n Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonit\r\n Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\" OR\r\n Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableIOAVProtection\" OR\r\n Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableScriptScanning\"\r\n Registry.registry_value_name = \"DWORD (0x00000001)\"\r\nhttps://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html\r\nPage 15 of 18\n\nby Registry.registry_path Registry.registry_key_name Registry.registry_value_name\r\n Registry.dest\r\n | `drop_dm_object_name(Registry)`\r\n | `security_content_ctime(firstTime)`\r\n |`security_content_ctime(lastTime)`\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)\r\n as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"powershell.exe\", \"pwsh.exe\",\r\n Processes.process=\"*set-mppreference*\" AND\r\n Processes.process IN (\"*disablerealtimemonitoring*\",\"*disableioavprotection*\",\"*disableintrusionpreventionsys\r\n by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes\r\n | `drop_dm_object_name(Processes)`\r\nhttps://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html\r\nPage 16 of 18\n\n| `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nMsmpeng Application DLL Side (New)\r\n| tstats `security_content_summariesonly` values(Filesystem.file_path) as\r\n file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem\r\n where (Filesystem.file_name = \"msmpeng.exe\" OR Filesystem.file_name = \"mpsvc.dll\") AND Filesystem.file_path\r\n by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user\r\n | `drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nhttps://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html\r\nPage 17 of 18\n\nHashes\r\nREvil Ransomware:\r\nSHA256: 33026ba868a6159223b486b57caebe40926208bb80b89749318e51dcd5b8b883\r\nMitigation\r\nFor mitigation of this and similar ransomware threats please use CISA guidance for reference:\r\nhttps://www.cisa.gov/ransomware\r\nWe hope that this information is helpful. Our team is standing by to help if you need it.\r\nSource: https://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html\r\nhttps://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html"
	],
	"report_names": [
		"revil-ransomware-threat-research-update-and-detections.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434706,
	"ts_updated_at": 1775791256,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4886719b2cb8644076725de9ddc7393d65c97124.pdf",
		"text": "https://archive.orkl.eu/4886719b2cb8644076725de9ddc7393d65c97124.txt",
		"img": "https://archive.orkl.eu/4886719b2cb8644076725de9ddc7393d65c97124.jpg"
	}
}