{ "id": "f0ab2801-bd27-4a4c-b7ac-340b02495f12", "created_at": "2026-04-06T00:15:54.835143Z", "updated_at": "2026-04-10T13:12:00.335967Z", "deleted_at": null, "sha1_hash": "8c3e25f7e40ced73a2270059fcb165720aeabbaa", "title": "https://gist.githubusercontent.com/fwosar/a63e1249bfccb8395b961d3d780c0354/raw/312b2bbc566cbee2dac7b143dc143c1913ddb729/revil.json", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 40860, "plain_text": "https://gist.githubusercontent.com/fwosar/a63e1249bfccb8395b961d3d780c0354/raw/312b2\r\nArchived: 2026-04-05 23:01:15 UTC\r\n{\r\n # Public key used for the campaign\r\n \"pk\": \"9/AgyLvWEviWbvuayR2k0Q140e9LZJ5hwrmto/zCyFM=\",\r\n # Unique ID to identify the affiliate\r\n \"pid\": \"$2a$12$prOX/4eKl8zrpGSC5lnHPecevs5NOckOUW5r3s4JJYDnZZSghvBkq\",\r\n # Campaign ID\r\n \"sub\": \"8254\",\r\n # Debug mode enabled\r\n \"dbg\": false,\r\n # Encryption type (0 means encrypt the whole file)\r\n \"et\": 0,\r\n # Wipe specified folders\r\n \"wipe\": true,\r\n # Whitelist\r\n \"wht\": {\r\n # Folder names to whitelist\r\n \"fld\": [\r\n \"program files\",\r\n \"appdata\",\r\n \"mozilla\",\r\n \"$windows.~ws\",\r\n \"application data\",\r\n \"$windows.~bt\",\r\n \"google\",\r\n \"$recycle.bin\",\r\n \"windows.old\",\r\n \"programdata\",\r\n \"system volume information\",\r\n \"program files (x86)\",\r\n \"boot\",\r\n \"tor browser\",\r\n \"windows\",\r\n \"intel\",\r\n \"perflogs\",\r\n \"msocache\"\r\n ],\r\n # File names to whitelist\r\n \"fls\": [\r\n \"ntldr\",\r\n \"thumbs.db\",\r\n \"bootsect.bak\",\r\n \"autorun.inf\",\r\n \"ntuser.dat.log\",\r\n \"boot.ini\",\r\n \"iconcache.db\",\r\n \"bootfont.bin\",\r\n \"ntuser.dat\",\r\n \"ntuser.ini\",\r\n \"desktop.ini\"\r\n ],\r\n # File extensions to whitelist\r\n \"ext\": [\r\n \"ps1\",\r\n \"ldf\",\r\n \"lock\",\r\n \"theme\",\r\n \"msi\",\r\n \"sys\",\r\n \"wpx\",\r\n \"cpl\",\r\n \"adv\",\r\n \"msc\",\r\n \"scr\",\r\n \"bat\",\r\nhttps://gist.githubusercontent.com/fwosar/a63e1249bfccb8395b961d3d780c0354/raw/312b2bbc566cbee2dac7b143dc143c1913ddb729/revil.json\r\nPage 1 of 3\n\n\"key\",\r\n \"ico\",\r\n \"dll\",\r\n \"hta\",\r\n \"deskthemepack\",\r\n \"nomedia\",\r\n \"msu\",\r\n \"rtp\",\r\n \"msp\",\r\n \"idx\",\r\n \"ani\",\r\n \"386\",\r\n \"diagcfg\",\r\n \"bin\",\r\n \"mod\",\r\n \"ics\",\r\n \"com\",\r\n \"hlp\",\r\n \"spl\",\r\n \"nls\",\r\n \"cab\",\r\n \"exe\",\r\n \"diagpkg\",\r\n \"icl\",\r\n \"ocx\",\r\n \"rom\",\r\n \"prf\",\r\n \"themepack\",\r\n \"msstyles\",\r\n \"lnk\",\r\n \"icns\",\r\n \"mpa\",\r\n \"drv\",\r\n \"cur\",\r\n \"diagcab\",\r\n \"cmd\",\r\n \"shs\"\r\n ]\r\n },\r\n # Folders to wipe\r\n \"wfld\": [\r\n \"backup\"\r\n ],\r\n # Processes to kill\r\n \"prc\": [\r\n \"encsvc\",\r\n \"powerpnt\",\r\n \"ocssd\",\r\n \"steam\",\r\n \"isqlplussvc\",\r\n \"outlook\",\r\n \"sql\",\r\n \"ocomm\",\r\n \"agntsvc\",\r\n \"mspub\",\r\n \"onenote\",\r\n \"winword\",\r\n \"thebat\",\r\n \"excel\",\r\n \"mydesktopqos\",\r\n \"ocautoupds\",\r\n \"thunderbird\",\r\n \"synctime\",\r\n \"infopath\",\r\n \"mydesktopservice\",\r\n \"firefox\",\r\n \"oracle\",\r\n \"sqbcoreservice\",\r\n \"dbeng50\",\r\n \"tbirdconfig\",\r\n \"msaccess\",\r\nhttps://gist.githubusercontent.com/fwosar/a63e1249bfccb8395b961d3d780c0354/raw/312b2bbc566cbee2dac7b143dc143c1913ddb729/revil.json\r\nPage 2 of 3\n\n\"visio\",\r\n \"dbsnmp\",\r\n \"wordpad\",\r\n \"xfssvccon\"\r\n ],\r\n # Command \u0026 control domains\r\n \"dmn\": \"boisehosting.net;fotoideaymedia.es;dubnew.com;stallbyggen.se;koken-voor-baby.nl;juneauopioidworkgrou\r\n # Should system information be sent to C2 server\r\n \"net\": false,\r\n # Services to stop and delete\r\n \"svc\": [\r\n \"veeam\",\r\n \"memtas\",\r\n \"sql\",\r\n \"backup\",\r\n \"vss\",\r\n \"sophos\",\r\n \"svc$\",\r\n \"mepocs\"\r\n ],\r\n # Ransom note body encoded as BASE64\r\n \"nbody\": \"LQAtAC0APQA9AD0AIABXAGUAbABjAG8AbQBlAC4AIABBAGcAYQBpAG4ALgAgAD0APQA9AC0ALQAtAA0ACgANAAoAWwAtAF0AIA\r\n # Ransom note name\r\n \"nname\": \"{EXT}-readme.txt\",\r\n # Indicated whether it will try to elevate privileges through exploits\r\n \"exp\": false,\r\n # Ransom note wallpaper base image\r\n \"img\": \"QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBp\r\n # Indicates whether or not to create an autorun entry to establish persistence\r\n \"arn\": false,\r\n # Number of folders the ransom note gets written to, 0 meaning all folders\r\n \"rdmcnt\": 0\r\n}\r\nSource: https://gist.githubusercontent.com/fwosar/a63e1249bfccb8395b961d3d780c0354/raw/312b2bbc566cbee2dac7b143dc143c1913ddb729/revil.json\r\nhttps://gist.githubusercontent.com/fwosar/a63e1249bfccb8395b961d3d780c0354/raw/312b2bbc566cbee2dac7b143dc143c1913ddb729/revil.json\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://gist.githubusercontent.com/fwosar/a63e1249bfccb8395b961d3d780c0354/raw/312b2bbc566cbee2dac7b143dc143c1913ddb729/revil.json" ], "report_names": [ "revil.json" ], "threat_actors": [], "ts_created_at": 1775434554, "ts_updated_at": 1775826720, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8c3e25f7e40ced73a2270059fcb165720aeabbaa.pdf", "text": "https://archive.orkl.eu/8c3e25f7e40ced73a2270059fcb165720aeabbaa.txt", "img": "https://archive.orkl.eu/8c3e25f7e40ced73a2270059fcb165720aeabbaa.jpg" } }