{
	"id": "8dd5e3cf-0c2d-4c3d-83e0-28ac2d88e68a",
	"created_at": "2026-04-06T00:19:50.451385Z",
	"updated_at": "2026-04-10T03:21:42.450397Z",
	"deleted_at": null,
	"sha1_hash": "7605909a23636c3f47d35feef6f2dff4e8cec24d",
	"title": "Revix Linux Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1908190,
	"plain_text": "Revix Linux Ransomware\r\nBy Vishal Thakur\r\nPublished: 2023-04-06 · Archived: 2026-04-05 18:52:56 UTC\r\nA duplicate copy of this article by Vishal can also be found here:\r\nhttps://angle.ankura.com/post/102hcny/revix-linux-ransomware\r\nIn the first half of 2021, we started to see the REvil ransomware operators targeting Linux-based systems with a\r\nnew Linux version of the more commonly seen Windows version of the same ransomware. There have been a few\r\nversions of this Linux-based malware since then.\r\nIn this publication, we take a look at the latest version, 1.2a.\r\nPress enter or click to view image in full size\r\nMalpedia link\r\nYouTube link\r\nYARA Rulesets\r\nhttps://github.com/YaraExchange/yarasigs/blob/master/ransomware/crime_lin_revil.yar\r\nhttps://github.com/YaraExchange/yarasigs/blob/master/ransomware/crime_lin_revix.yar\r\nhttps://malienist.medium.com/revix-linux-ransomware-d736956150d0\r\nPage 1 of 11\n\nQuick Snapshot\r\nClass: ELF64\r\nType: Dynamically Linked\r\nMachine: X86-64\r\nNumber of section headers: 28\r\nEntry Point: 0x401650\r\ncallq: __libc_start_main@plt\r\nMD5: c83df66c46bcbc05cd987661882ff061\r\nIntroduction\r\nThe execution of this malware is straight forward. It traverses through the directories targeted by it and encrypts\r\nthe files present in those directories. Once encryption is complete, it drops a ransom note in the directory with the\r\nusual ransom message and instructions on how to pay the bad actors to get the decryption key.\r\nThis malware requires a couple of parameters to be passed to it in order for it to successfully execute. It also\r\nrequires to be run with escalated privileges in order to be able to successfully encrypt files on the disk.\r\nOne of the main targets for this malware is VMware’s ESX platform, which we’ve seen before in a different Linux\r\nransomware, Darkside.\r\nThis malware is not able to encrypt data if being executed by a non-privileged user. It also checks the files in the\r\ntarget directories to see if they are already encrypted.\r\nAnalysis\r\nFor the purpose of this publication, we analyse this malware both statically and dynamically. We switch between\r\nthe two methodologies as we go through the analysis process.\r\nA quick look at section .init:\r\nSection .text:\r\nhttps://malienist.medium.com/revix-linux-ransomware-d736956150d0\r\nPage 2 of 11\n\nFunctions\r\nThe malware loads a number of functions upon initialisation. Following some of the interesting ones we are able\r\nto extract useful information that can be used to understand the flow of execution and write some detections as\r\nwe’ll see later in this article.\r\nPress enter or click to view image in full size\r\nMalware functions loaded upon initialisation\r\nhttps://malienist.medium.com/revix-linux-ransomware-d736956150d0\r\nPage 3 of 11\n\nFunction sequence during execution\r\nInitialization\r\nLet’s take a quick look at the program initialization:\r\nExecution initialisation\r\nPress enter or click to view image in full size\r\nParameters for the command-line arguments\r\nExecution\r\nWhen executed as a non-privileged user, the malware is not able to achieve full execution.\r\nAs we can see in the image below, the malware has been provided the directory ‘here’ for the purpose of this\r\nanalysis:\r\nThe malware tries to access the data in this directory for read/write and is not successful as the image below\r\nshows:\r\nhttps://malienist.medium.com/revix-linux-ransomware-d736956150d0\r\nPage 4 of 11\n\nThe malware also tries to encrypt the test file that we have provided for the purpose of this analysis in the target\r\ndirectory but the encryption process fails as that action requires higher privileges:\r\nPress enter or click to view image in full size\r\nAs a result, the execution fails to achieve the desired outcome for the malware, as shown by the result in the image\r\nbelow:\r\nPress enter or click to view image in full size\r\nAnother point of interest from this failed execution is that the malware attempted to execute a esxcli command but\r\nwas not able to do so:\r\nAll of this changes when we run the malware with escalated privileges.\r\nFirstly, the malware is able to access the data in the target directory:\r\nNext, we can see that the malware is able to perform read/write functions on the data in the target directories,\r\nresulting in successful encryption of that data:\r\nWe can see from the image below that the malware is able to write the ransom-note text file to the disk:\r\nhttps://malienist.medium.com/revix-linux-ransomware-d736956150d0\r\nPage 5 of 11\n\nAnd finally, we can see that the execution is completed successfully, resulting in the data present in the target\r\ndirectory being encrypted:\r\nThe file we provided in the target directory is now encrypted and a ransom-note is created in the same directory:\r\nThe malware also checks if the data in the target directory is already encrypted. To demonstrate this, we ran the\r\nmalware against the same target directory one more time.\r\nGet Vishal Thakur’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nUpon execution, the malware runs a check on the data present in the target directory and identifies it to be already\r\nencrypted:\r\nPress enter or click to view image in full size\r\nAs a result, the execution ends up with no data being encrypted:\r\nhttps://malienist.medium.com/revix-linux-ransomware-d736956150d0\r\nPage 6 of 11\n\nVMware ESX targeting\r\nThis malware also tries to use the esxcli, the command line interface for VMware ESX platform. Let’s take a\r\nquick look at the parameters passed to esx as command-line arguments.\r\nesxcli --formatter=csv --format-param=fields==\"WorldID,DisplayName\" vm process list | awk -F \"\\\"*,\\\"*\r\nvm process list\r\nList the virtual machines on this system. This command currently will only list running VMs on the system.\r\nvm process kill\r\nUsed to forcibly kill Virtual Machines that are stuck and not responding to normal stop operations.\r\n— type\r\nThere are three types of VM kills that can be attempted: [soft, hard, force].\r\n— world-id | -w\r\nThe World ID of the Virtual Machine to kill. This can be obtained from the ‘vm process list’ command (required)\r\nSo basically what these esx command-line arguments are doing is shutting down all VMs running on the ESX\r\nplatform.\r\nThe idea is to run the malware targeting the ‘/vmfs’ directory and encrypt all the data present in that directory so\r\nall the VMs are rendered inoperable until the data is decrypted.\r\nThis targeting is similar to that seen in DarkSide’s Linux variant.\r\nCommand-line Arguments\r\nThe malware requires the following parameters to be passed for its execution to begin:\r\nelf.exe — path /vmfs/ — threads 5\r\nIt also allows the ‘ — silent’ option that executes the malware without stopping the VMs\r\n— silent (-s) use for not stoping VMs mode *\r\nhttps://malienist.medium.com/revix-linux-ransomware-d736956150d0\r\nPage 7 of 11\n\nConfig\r\nThe config of this Linux version is similar to that of its Windows variant, only with less fields.\r\nHere’s an image showing the config we were able to extract from the sample we analysed:\r\nPress enter or click to view image in full size\r\nProfiling\r\nThe malware also gathers information about the victim machine which is gathered by running this command:\r\nhttps://malienist.medium.com/revix-linux-ransomware-d736956150d0\r\nPage 8 of 11\n\nuname -a \u0026\u0026 echo “ | “ \u0026\u0026 hostname\r\nAnd we can see the result in the stack:\r\nPress enter or click to view image in full size\r\nThe info is then passed through the registers:\r\nPress enter or click to view image in full size\r\nAnd the end-result is created in the form of this config with the victim information:\r\nEncryption\r\nThe malware uses Salsa20 encryption algorithm (just like its Windows variant) to encrypt the data and here’s the\r\npseudocode for the function that implements it:\r\nPress enter or click to view image in full size\r\nhttps://malienist.medium.com/revix-linux-ransomware-d736956150d0\r\nPage 9 of 11\n\nMitigation\r\nDetections\r\nThe malware runs this command to determine machine info:\r\nuname -a \u0026\u0026 echo \" | \" \u0026\u0026 hostname\r\nThe malware tries to query this directory:\r\n/dev/urandom\r\nThe malware runs this command to stop VMs running on the ESX platform in order to encrypt the data on those\r\nVMs:\r\nesxcli --formatter=csv --format-param=fields==\"WorldID,DisplayName\" vm process list | awk -F \"\\\"*,\\\"*\r\nTypos:\r\nIn some instances, typos that malware authors commit to the code are useful in detection of the malware or similar\r\ncode used in other malware. These are a couple of typos we found in this variant of Revix:\r\n--silent (-s) use for not stoping VMs modesemms to be protected by os but let's encrypt anyway…\r\nhttps://malienist.medium.com/revix-linux-ransomware-d736956150d0\r\nPage 10 of 11\n\nConclusion\r\nAs we can see in the analysis notes above, the execution is a bit clunky in this variant and requires multiple\r\nconditions to be met before the ransomware is successful in encrypting data. The malware needs to be executed as\r\na command-line argument with elevated privileges and specified target directories and number of threads. If the\r\nmalware is not run in silent mode, it will try to stop the VMs which could trigger off a detection and quite possibly\r\nfail to encrypt data on the VMs due to reduced/restricted access.\r\nReferences\r\nESXi 7.0 U3 ESXCLI Command Reference\r\nDarkSide on Linux: Virtual Machines Targeted — Naiim, M.,2021\r\ngetdents64(2) — Linux man page\r\nCode Analysis details by Intezer Analyse\r\nSource: https://malienist.medium.com/revix-linux-ransomware-d736956150d0\r\nhttps://malienist.medium.com/revix-linux-ransomware-d736956150d0\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://malienist.medium.com/revix-linux-ransomware-d736956150d0"
	],
	"report_names": [
		"revix-linux-ransomware-d736956150d0"
	],
	"threat_actors": [],
	"ts_created_at": 1775434790,
	"ts_updated_at": 1775791302,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7605909a23636c3f47d35feef6f2dff4e8cec24d.pdf",
		"text": "https://archive.orkl.eu/7605909a23636c3f47d35feef6f2dff4e8cec24d.txt",
		"img": "https://archive.orkl.eu/7605909a23636c3f47d35feef6f2dff4e8cec24d.jpg"
	}
}