{ "id": "5254e43b-bf72-4248-bc78-5eeac29267c0", "created_at": "2026-04-06T00:09:01.497044Z", "updated_at": "2026-04-10T13:11:56.198413Z", "deleted_at": null, "sha1_hash": "6bd953ece7c3daa4ac8aaa792ea0e733a7b6baa6", "title": "REvil Ransomware Can Now Reboot Infected Devices", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 235945, "plain_text": "REvil Ransomware Can Now Reboot Infected Devices\r\nBy Akshaya Asokan\r\nArchived: 2026-04-05 13:28:40 UTC\r\nBusiness Continuity Management / Disaster Recovery , Fraud Management \u0026 Cybercrime , Governance \u0026 Risk\r\nManagement\r\nMalwareHunterTeam Finds Updated Capabilities (asokan_akshaya) • March 24, 2021    \r\nThe REvil ransomware gang has added a new malware capability that enables the attackers to reboot an infected\r\ndevice after encryption, security researchers at MalwareHunterTeam report.\r\nSee Also: On Demand | Ransomware in 2025: Evolving Threats, Exploited Vulnerabilities, and a Unified Defense\r\nStrategy\r\nIn a recent tweet, the researchers note that REvil operators have added to the ransomware two new command lines\r\ncalled 'AstraZeneca' and 'Franceisshit' in Windows Safe Mode, which is used to access the Windows devices'\r\nstartup setting screen.\r\n\"'AstraZeneca' is used to run the ransomware sample itself in the safe mode, and 'Franceisshit' is used to run a\r\ncommand in the safe mode to make the PC run in normal mode after the next reboot,\" MalwareHunterTeam\r\ntweeted.\r\nEmsisoft threat analyst Brett Callow told ISMG: “While not unique, the approach is certainly unusual. The most\r\nlikely reason for REvil introducing this functionality is that it may enable their ransomware to avoid detection by\r\nhttps://www.bankinfosecurity.com/revil-ransomware-now-reboot-infected-devices-a-16259\r\nPage 1 of 2\n\nsome security products,\" as these capabilities enable the attackers to encrypt the files in Windows Safe Mode.\r\n\"Causing a Windows computer to reboot in safe mode can disable software, potentially even antivirus or anti-ransomware software, that is working to keep your computer safe,\" says Erich Kron, security awareness advocate\r\nat the security firm KnowBe4. \"This would then allow the attackers to make changes that may otherwise not be\r\nallowed in normal running mode.\"\r\nOrganizations can help prevent malicious actions by monitoring computers for unexpected reboot activities and by\r\nhaving effective data loss prevention controls in place, Kron says. \"Because REvil primarily uses compromised\r\nRDP sessions and email phishing for distribution, organizations need to ensure that any internet-accessible RDP\r\ninstances are secured, preferably with a form of multifactor authentication, and that their employees are stepped\r\nthrough high-quality security awareness training that can help them spot and report phishing attacks.\"\r\nREvil Activity\r\nREvil, also known as Sodinokibi and Sodin, first appeared in April 2019. The gang behind the ransomware has\r\nbeen tied to several high-profile attacks, such as the May 2020 attacks against celebrity law firm Grubman Shire\r\nMeiselas and Sacks and an April 2020 attack on Travelex, a London-based currency exchange that paid a ransom\r\nof $2.3 million to regain access to its data.\r\nRecently, the gang reportedly targeted Taiwanese PC-maker Acer by apparently targeting the unpatched\r\nProxyLogon flaw in an on-premises version of Microsoft Exchange server (see: Acer Reportedly Targeted by\r\nRansomware Gang).\r\nThe REvil gang has continually upgraded its malware and changed its extortion tactics. It now often targets larger\r\norganizations in search of much bigger payoffs, publicly names and shames victims through its dedicated leak site\r\nand targets victims who have cyber insurance (see: Charm Offensive: Ransomware Gangs 'Tell All' in Interviews).\r\nSpike in REvil Attacks\r\nSecurity researchers have attributed the recent spike in REvil attacks to the gang's growing number of affiliates\r\nunder its ransomware-as-a-service model (see: Ransomware: As GandCrab Retires, Sodinokibi Rises).\r\nA 2019 report by security firm McAfee uncovered at least 41 active affiliates. In another report, McAfee noted\r\nthat to infect victims, REvil affiliates mainly used remote desktop protocol brute-forcing, phishing, malicious\r\nscript injection and hacking into IT solutions provided by managed service providers (see: Ransomware Gangs'\r\nNot-So-Secret Attack Vector: RDP Exploits).\r\nSource: https://www.bankinfosecurity.com/revil-ransomware-now-reboot-infected-devices-a-16259\r\nhttps://www.bankinfosecurity.com/revil-ransomware-now-reboot-infected-devices-a-16259\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bankinfosecurity.com/revil-ransomware-now-reboot-infected-devices-a-16259" ], "report_names": [ "revil-ransomware-now-reboot-infected-devices-a-16259" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434141, "ts_updated_at": 1775826716, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6bd953ece7c3daa4ac8aaa792ea0e733a7b6baa6.pdf", "text": "https://archive.orkl.eu/6bd953ece7c3daa4ac8aaa792ea0e733a7b6baa6.txt", "img": "https://archive.orkl.eu/6bd953ece7c3daa4ac8aaa792ea0e733a7b6baa6.jpg" } }