{ "id": "2b976c23-64e8-43ee-a2a5-e607aa8e7c8b", "created_at": "2026-04-06T00:22:20.606443Z", "updated_at": "2026-04-10T03:24:30.153203Z", "deleted_at": null, "sha1_hash": "7a68280e1379a1b07b0c5cabdbcdd1d22e7321d9", "title": "REvil ransomware has a new \u0026lsquo;Windows Safe Mode\u0026rsquo; encryption mode", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2127327, "plain_text": "REvil ransomware has a new \u0026lsquo;Windows Safe Mode\u0026rsquo;\r\nencryption mode\r\nBy Lawrence Abrams\r\nPublished: 2021-03-19 · Archived: 2026-04-05 15:13:51 UTC\r\nThe REvil ransomware operation has added a new ability to encrypt files in Windows Safe Mode, likely to evade detection\r\nby security software and for greater success when encrypting files.\r\nWindows Safe Mode is a special startup mode that allows users to run administrative and diagnostic tasks on the operating\r\nsystem. This mode only loads the bare minimum of software and drivers required for the operating system to work. \r\nFurthermore, any programs installed in Windows that are configured to start automatically will not start in Safe Mode unless\r\ntheir autorun is configured a certain way.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nOne of the ways to create an autorun in Windows is to create entries under the following Registry keys:\r\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\r\nThe 'Run' keys will launch a program every time you log in, while the 'RunOnce' key will launch a program only once and\r\nthen remove the entry from the Registry.\r\nFor example, the following Registry key will automatically start the C:\\Users\\test\\test.exe program when you log in to\r\nWindows.\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]\r\n\"Startup\"=\"C:\\Users\\test\\test.exe\"\r\nHowever, the above autorun will not launch in Safe Mode unless you add an asterisk (*) to the beginning of the value name\r\nlike the following:\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]\r\n\"*Startup\"=\"C:\\Users\\test\\test.exe\"\r\nREvil now includes a 'Safe Mode' mode\r\nIn a new sample of the REvil ransomware discovered by MalwareHunterTeam, a new -smode command-line argument was\r\nadded that forces the computer to reboot into Safe Mode before encrypting a device.\r\nTo do this, REvil will execute the following commands to force the computer to boot into Safe Mode with Networking when\r\nWindows next restarts.\r\nbootcfg /raw /a /safeboot:network /id 1\r\nbcdedit /set {current} safeboot network\r\nIt then creates a 'RunOnce' autorun called '*franceisshit' that executes ' bcdedit /deletevalue {current} safeboot ' after\r\nthe users logs into Safe Mode.\r\nRunOnce entry to delete the \r\nFinally, the ransomware performs a forced restart of Windows that cannot be interrupted by the user.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/\r\nPage 3 of 6\n\nRight before the process exits, it will create an additional RunOnce autorun named 'AstraZeneca,' possibly about France's\r\nrecent deliberations about using the vaccine.\r\nThis autorun will relaunch the REvil ransomware without the -smode argument when the next user logs in after the device is\r\nrebooted. \r\nAstraZeneca autorun entry\r\nIt is important to remember that both of these 'RunOnce' entries will be executed after logging into Safe Mode and will\r\nautomatically be deleted by Windows.\r\nOn reboot, the device will start up in Safe Mode With Networking, and the user will be prompted to log into Windows. Once\r\nthey login, the REvil ransomware will be executed without the -smode argument so that it begins to encrypt the files on the\r\ndevice.\r\nWindows will also run the  ' bcdedit /deletevalue {current} safeboot ' command configured by the '*AstraZeneca'\r\nRegistry key so that the machine can reboot into normal mode when the ransomware is finished.\r\nWhile REvil is encrypting files, the Safe Mode screen will be blank, but it is still possible to use Ctrl+Alt+Delete to launch\r\nthe Windows Task Manager. From there, you can see the executable running, which in our test is named 'smode.exe,' as\r\nshown below.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/\r\nPage 4 of 6\n\nREvil ransomware running in Safe Mode\r\nWhile running, the ransomware will prevent users from launching any programs through Task Manager until it finishes\r\nencrypting the device.\r\nOnce the device is encrypted, it will allow the rest of the bootup sequence to proceed, and the desktop will be shown with a\r\nransom note and encrypted files.\r\nDevice encrypted in Safe Mode\r\nUnusual approach\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/\r\nPage 5 of 6\n\nREvil's new Safe Mode operation is a bit strange as it requires users to log in to the device after they restart into Safe Mode.\r\nFurthermore, once they log into Safe Mode, they will be presented with a blank screen, and heavy thrashing of drives as the\r\nransomware encrypts the device.\r\nThis behavior could cause users to become instantly suspicious and hibernate or shut down their computers to be safe.\r\nFor this reason, it is possible that the attackers are manually running the new Safe Mode command against specific\r\ncomputers, such as virtual machines or servers, that they want to encrypt without issues.\r\nRegardless of the reasons, this is another new attack method that security professionals and Windows admins need to watch\r\nout for as ransomware gangs constantly evolve their tactics.\r\nREvil is not the only operation to utilize Safe Mode for encrypting devices.\r\nIn 2019, another ransomware known as 'Snatch' also added the ability to encrypt a device in Safe Mode using a Windows\r\nservice.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "references": [ "https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/" ], "report_names": [ "revil-ransomware-has-a-new-windows-safe-mode-encryption-mode" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434940, "ts_updated_at": 1775791470, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7a68280e1379a1b07b0c5cabdbcdd1d22e7321d9.pdf", "text": "https://archive.orkl.eu/7a68280e1379a1b07b0c5cabdbcdd1d22e7321d9.txt", "img": "https://archive.orkl.eu/7a68280e1379a1b07b0c5cabdbcdd1d22e7321d9.jpg" } }