# Revenge Ransomware, a CryptoMix Variant, Being Distributed by RIG Exploit Kit

**[bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit](https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/)**

#### By
[Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/)

#### March 15, 2017 03:34 PM 5

 A new CryptoMix, or CryptFile2, variant called Revenge has been discovered by Broad Analysis that is being distributed via the RIG exploit kit. This variant contains many similarities to its predecessor CryptoShield, which is another CryptoMix variant, but includes some minor changes that are described below.

 As a note, in this article I will be referring to this infection as the Revenge Ransomware as that will most likely be how the victim's refer to it. It is important to remember, though, that this ransomware is not a brand new infection, but rather a new version of the CryptoMix ransomware family.

## How Victim's Become Infected with the Revenge Ransomware

#### Both BroadAnalysis.com and Brad Duncan, of Malware-Traffic-Analysis.net, have seen Revenge being distributed through web sites that have been hacked so that the RIG Exploit Kit javascript is added pages on the site. When someone visits one of these hacked sites, they will encounter the exploit kit, which will then try to exploit vulnerabilities in their computer in order to install the Revenge Ransomware without their knowledge or permission.

 An example of a RIG javascript can be seen in the image below.


-----

**Rig Exploit Kit Traffic**

**Source: BroadAnalysis.com**

## How the Revenge Ransomware Encrypts a Victim's Files

#### Once the ransomware executable is downloaded and executed on the victim's computer, it will generate a unique 16 hexadecimal character ID for the victim. It will then terminate the following database related processes so it has full access to the databases in order to encrypt them:
```
msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe,
ocssd.exe, dbsnmp.exe, synctime.exe, mydesktopqos.exe, agntsvc.exeisqlplussvc.exe,
xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exeagntsvc.exe,
agntsvc.exeencsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe,
mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe

 Revenge will then proceed to scan the computer for targeted files and encrypt them. While Revenge's predecessor targeted 454 extensions for encryption, Revenge targets 1,237 extensions, which can be seen at the end of the article.

 When Revenge encounters a targeted file it will encrypt it using AES-256 encryption, encrypt the filename, and then append the .REVENGE extension to the encrypted file. The format for a renamed file is [16_hex_char_vicimt_id][16_hex_char_encrypted_filename]
 [unknown_8_hex_char_string][8_char_encrypted_filename].REVENGE. For example, a file called test.jpg would be encrypted and renamed as something like ABCDEF0123456789B7BC7311B474CAFD.REVENGE.

 The AES encryption key used to encrypt the victim's files is then encrypted using a embedded RSA-1024 public key that only the ransomware developer has the ability to decrypt. The current public RSA key is:

```

-----

```
   BEGIN PUBLIC KEY
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCQrO3EuFElsq2cyX+mgWJ4lnK5
xE/YNZru2WpwEvEG2kTIcYthRInXveRJKnUzvtWJ0RCymL3mVbBQXF9JSCQPIkb5
NDDXDgVH16vZFBHbHoqiA4nORa7BAC9ThEgQk6+U8ZLLPahcxN9RXqE66WAmAeP9
1CerOjfLCUJMB02qoQIDAQAB
-----END PUBLIC KEY----
#### In each folder that Revenge encrypts a file, it will also create a ransom note named # !!!HELP_FILE!!! #.txt. Unlike previous versions of CryptoMix, this variant does not create a HTML version of the ransom note as well.

```
**Encrypted Files**

#### During the infection process, Revenge will issue the following commands to disable the Windows startup recovery and to clear the Windows Shadow Volume Copies as shown below.
```
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet
"C:\Windows\System32\cmd.exe" /C net stop vss

 Revenge will also display a fake alert that states:
Windows Defender Virus and spyware definitions couldn't be updated. Click Continue
for recovery update soft.

 Like the fake alert in CryptoShield, the broken English in the Revenge alert should give victim's a hint that this alert is not legitimate.

```

-----

**Fake Explorer.exe Alert**

#### Once you press Continue in the above prompt, you will be presented with a User Account Control prompt, which asks if you wish to allow the command "C:\Windows\SysWOW64\wbem\WMIC.exe" process call create "%UserProfile%\a1x[r65r.exe" to execute. This explains why the previous alert was being shown; to convince a victim that they should click on the Yes button in the below UAC prompt so that ransomware is executed with administrative privileges.

**UAC Prompt for the Launch of the SmartScreen.exe Executable**

#### Finally, the Revenge Ransomware will display a ransom note called # !!!HELP_FILE!!! #.txt.


-----

**Text Ransom Note**

#### This ransom note contains information regarding what happened to your files, a personal identification ID, and three email addresses that can be used to contact the ransom developer for payment instructions. The current email addresses are rev00@india.com, revenge00@writeme.com rev reserv@india.com


-----

#### Unfortunately, at this time there is no way to currently decrypt files encrypted by Revenge for free. For those who wish to discuss this ransomware or receive support, you can always use our CryptoMix or CrypMix Ransomware Help Topic.

### File Associated with the Revenge Ransomware Variant:
```
C:\ProgramData\Microsofts\Windows NT\svchost.exe
# !!!HELP_FILE!!! #.txt

 Revenge Ransomware Hashes:
SHA256: f5bceebaecb329380385509d263f55e3d7bddde02377636a0e15f8bfd77a84a6

 Revenge Ransomware Network Communication:
109.236.87.201/js/other_scripts/get.php

 Example Revenge Ransom Note Text:

```

-----

```
  ENGLISH
 All of your files were encrypted using REVENGE Ransomware.
 The action required to restore the files.
 Your files are not lost, they can be returned to their normal state by decoding
them.
 The only way to do this is to get the software and your personal decryption key.
 Using any other software that claims to be able to recover your files will result in
corrupted or destroyed files.
 You can purchase the software and the decryption key by sending us an email with
your ID.
 And we send instructions for payment .
 After payment, you receive the software to return all files.
 For proof, we can decrypt one file for free. Attach it to an e-mail.
 ===ITALIAN===
 Tutti i file sono stati crittografati utilizzando REVENGE ransomware.
 L'azione richiesta per ripristinare i file.
 I file non sono persi, possono essere restituiti al loro normale stato di loro
decodifica.
 L'unico modo per farlo è quello di ottenere il software e la decrittografia
personale chiave.
 L'uso di qualsiasi altro software che sostiene di essere in grado di recuperare i
file si tradurrà in file danneggiati o distrutti.
 È possibile acquistare la chiave di software e decifratura con l'invio di una e-mail
con il tuo ID.
 E mandiamo le istruzioni per il pagamento.
 Dopo il pagamento, si riceve il software per ripristinare tutti i file.
 Per dimostrare che siamo in grado di decodificare il file. Inviaci un file di email. 
 ===GERMAN===
 Alle Dateien wurden mit REVENGE Ransomware verschlüsselt.
 Die notwendigen Schritte, um die Dateien wiederherzustellen.
 Die Dateien werden nicht verloren, können sie dekodiert werden.
 Der einzige Weg, zu tun ist, um die Software zu erhalten, und den privaten Schlüssel
zu entschlüsseln.
 Mit Software, die auf Ihre Dateien zu können behauptet, bewegen als Folge von
beschädigten oder zerstörten Dateien wiederhergestellt werden.
 Sie können die Software und Entschlüsselungsschlüssel erwerben, indem Sie uns per EMail Ihre ID senden.
 Und wir werden Anweisungen für die Zahlung senden.
 Nach der Bezahlung werden Sie eine Rückkehr von Software erhalten, die alle Dateien
wiederherstellen würde.
 Um zu beweisen, dass wir eine Datei kostenlos entschlüsseln kann. Anhängen einer
Datei an eine E-Mail.
 ===POLISH===
 Wszystkie pliki zostały zaszyfrowane przy użyciu REVENGE szkodnika.
 Konieczne działania w celu przywrócenia plików.
 Pliki nie są tracone, mogą one zostać zwrócone do swojego normalnego stanu poprzez
ich dekodowania.
 Jedynym sposobem na to jest, aby oprogramowanie i swój osobisty klucz deszyfrowania.
 Korzystanie z innego oprogramowania, które twierdzi, że jest w stanie odzyskać pliki
spowoduje uszkodzonych lub zniszczonych plików.
 Można kupić oprogramowanie i klucz deszyfrowania wysyłając do nas e-maila z ID.

```

-----

```
 A my wyślemy instrukcje dotyczące płatności.
 Po dokonaniu płatności otrzymasz oprogramowanie do zwrotu  plików.
 W celu udowodnienia, że możemy odszyfrować plik. Dołączyć go do wiadomości e-mail.
 ===KOREAN===

```
모든 파일은 REVENGE Ransomware를 사용하여 암호화되었습니다.
파일을 복원하는 데 필요한 작업.
파일은 손실되지 않으며 디코딩하여 정상 상태로 되돌릴 수 있습니다.
이를 수행하는 유일한 방법은 소프트웨어와 개인 암호 해독 키를 얻는 것입니다.
파일을 복구 할 수 있다고 주장하는 다른 소프트웨어를 사용하면 파일이 손상되거나 파손됩니다.
신분증을 이메일로 보내 소프트웨어 및 암호 해독 키를 구입할 수 있습니다.
그리고 우리는 지불 지시를 보낸다.
지불 후 모든 파일을 반환하는 소프트웨어를 받게됩니다.
우리는 무료로 하나의 파일의 암호를 해독 할 수 있습니다. 전자 메일 파일을 보내 주시기 바랍니다.
```
 CONTACT E-MAILS:
 EMAIL: rev00@india.com
 EMAIL: revenge00@writeme.com
 EMAIL: rev_reserv@india.com
 ID (PERSONAL IDENTIFICATION): ABCDEF0123456789

### Revenge Ransomware Associated Emails:
restoring_sup@india.com - SUPPORT;
restoring_sup@computer4u.com - SUPPORT RESERVE FIRST;
restoring_reserve@india.com - SUPPORT RESERVE SECOND;

 Extensions Targeted by Revenge:

```

-----

```
, .3G2, .3GP, .7Z, .AB4, .ACH, .ADB, .ADS, .AIT, .AL, .APJ, .ASF, .ASM, .ASP, .ASX,
.BACK, .BANK, .BGT, .BIK, .BKF, .BKP, .BPW, .C, .CDF, .CDR, .CDX, .CE1, .CE2, .ODF,
.ODG, .ODP, .ODS, .OIL, .ONE, .OTH, .OTP, .OTS, .P12, .P7B, .P7C, .PAS, .PAT, .PBO,
.PCT, .PHP, .PIP, .PLC, .POT, .POTM, .POTX, .PPAM, .PPS, .PPSM, .PPSX, .PRF, .PSAFE3,
.PSPIMAGE, .PUB, .PUZ, .PY, .QBA, .QBW, .R3D, .RAF, .RAR, .RAT, .RM, .RWZ, .SAS7BDAT,
.SAY, .SD0, .SDA, .SNP, .SRF, .SRT, .ST4, .ST5, .ST6, .ST7, .ST8, .STC, .STD, .STI,
.STX, .SXC, .SXI, .SXM, .VOB, .VSX, .VTX, .WAV, .WB2, .WLL, .WMV, .WPD, .X11, .XLA,
.XLAM, .XLB, .XLL, .XLM, .XLR, .XLSB, .XLT, .XLTM, .XLTX, .M4A, .WMA, .D3DBSP, .XLW,
.XPP, .XSN, .YUV, .ZIP, .SIE, .UNREC, .SCAN, .SUM, .T13, .T12, .QDF, .TAX, .PKPASS,
.BC6, .BC7, .SIDN, .SIDD, .MDDATA, .ITL, .ICXS, .HVPL, .HPLG, .HKDB, .MDBACKUP,
.SYNCDB, .GHO, .CAS, .WMO, .ITM, .SB, .FOS, .MOV, .VDF, .ZTMP, .SIS, .SID, .NCF,
.MENU, .LAYOUT, .DMP, .BLOB, .ESM, .VCF, .VTF, .DAZIP, .FPK, .MLX, .KF, .IWD, .VPK,
.TOR, .PSK, .RIM, .W3X, .FSH, .NTL, .ARCH00, .LVL, .SNX, .CFR, .FF, .VPP_PC, .LRF,
.M2, .MCMETA, .VFS0, .MPQGE, .DB0, .DBA, .ROFL, .HKX, .BAR, .UPK, .DAS, .LITEMOD,
.ASSET, .FORGE, .BSA, .APK, .RE4, .LBF, .SLM, .EPK, .RGSS3A, .PAK, .BIG, .WALLET,
.WOTREPLAY, .XXX, .DESC, .M3U, .JS, .RB, .1CD, .DBF, .DT, .CF, .CFU, .MXL, .EPF,
.KDBX, .VRP, .GRS, .GEO, .ST, .PFF, .MFT, .EFD, .3DM, .3DS, .RIB, .MA, .SLDASM,
.SLDPRT, .MAX, .BLEND, .LWO, .LWS, .M3D, .MB, .OBJ, .X, .X3D, .MOVIE, .BYU, .C4D,
.FBX, .DGN, .DWG, .4DB, .4DL, .4MP, .ABS, .ACCDB, .ACCDC, .ACCDE, .ACCDR, .ACCDT,
.ACCDW, .ACCFT, .ADN, .A3D, .ADP, .AFT, .AHD, .ALF, .ASK, .AWDB, .AZZ, .BDB, .BND,
.BOK, .THUMB, .TJP, .TM2, .TN, .TPI, .UFO, .UGA, .USERTILE-MS, .VDA, .VFF, .VPE,
.VST, .WB1, .WBC, .WBD, .WBM, .WBMP, .WBZ, .WDP, .WEBP, .WPB, .WPE, .WVL, .X3F, .Y,
.YSP, .ZIF, .CDR4, .CDR6, .CDRW, .JPEG, .DJVU, .PDF, .DDOC, .CSS, .PPTM, .RAW, .CPT,
.JPG, .JPE, .JP2, .PCX, .PDN, .PNG, .PSD, .TGA, .TIFF, .TIF, .HDP, .XPM, .AI, .PS,
.WMF, .EMF, .ANI, .APNG, .FLC, .FB2, .FB3, .FLI, .MNG, .SMIL, .SVG, .MOBI, .SWF,
.HTML, .XLS, .XLSX, .XLSM, .XHTM, .MRWREF, .XF, .PST, .BD, .GZ, .MKV, .XML, .XMLX,
.DAT, .MCL, .MTE, .CFG, .MP3, .BTR, .BAK, .BACKUP, .CDB, .CKP, .CLKW, .CMA,
.DACONNECTIONS, .DACPAC, .DAD, .DADIAGRAMS, .DAF, .DASCHEMA, .DB, .DB-SHM, .DB-WAL,
.DB2, .DB3, .DBC, .DBK, .DBS, .DBT, .DBV, .DBX, .DCB, .DCT, .DCX, .DDL, .DF1, .DMO,
.DNC, .DP1, .DQY, .DSK, .DSN, .DTA, .DTSX, .DXL, .ECO, .ECX, .EDB, .EMD, .EQL, .FCD,
.FDB, .FIC, .FID, .FM5, .FMP, .FMP12, .FMPSL, .FOL, .FP3, .FP4, .FP5, .FP7, .FPT,
.FZB, .FZV, .GDB, .GWI, .HDB, .HIS, .IB, .IDC, .IHX, .ITDB, .ITW, .JTX, .KDB, .LGC,
.MAQ, .MDB, .MDBHTML, .MDF, .MDN, .MDT, .MRG, .MUD, .MWB, .S3M, .MYD, .NDF, .NS2,
.NS3, .NS4, .NSF, .NV2, .NYF, .OCE, .ODB, .OQY, .ORA, .ORX, .OWC, .OWG, .OYX, .P96,
.P97, .PAN, .PDB, .PDM, .PHM, .PNZ, .PTH, .PWA, .QPX, .QRY, .QVD, .RCTD, .RDB, .RPD,
.CER, .CFP, .CLASS, .CLS, .CMT, .CPI, .CPP, .CRAW, .CRT, .CRW, .CS, .CSH, .CSL, .CSV,
.DAC, .DBR, .DDD, .DER, .DES, .DGC, .DNG, .DRF, .K2P, .DTD, .DXG, .EBD, .EML, .EXF,
.FFD, .FFF, .FH, .FHD, .FLA, .FLAC, .FLV, .FM, .GRAY, .GREY, .GRW, .GRY, .H, .HPP,
.IBD, .IIF, .INDD, .JAVA, .KEY, .LACCDB, .LUA, .M, .M4V, .MAF, .MAM, .MAR, .MAW,
.MDC, .MDE, .MFW, .MMW, .MP4, .MPG, .MPP, .MRW, .MSO, .NDD, .NEF, .NK2, .NSD, .NSG,
.NSH, .NWB, .NX1, .NX2, .ODC, .RSD, .SBF, .SDB, .SDF, .SPQ, .SQB, .STP, .SQL,
.SQLITE, .SQLITE3, .SQLITEDB, .STR, .TCX, .TDT, .TE, .TEACHER, .TRM, .UDB, .USR,
.V12, .VDB, .VPD, .WDB, .WMDB, .XDB, .XLD, .XLGC, .ZDB, .ZDC, .CDR3, .PPT, .PPTX,
.1ST, .ABW, .ACT, .AIM, .ANS, .APT, .ASCII, .ASE, .ATY, .AWP, .AWT, .AWW, .BBS, .BDP,
.BDR, .BEAN, .BIB, .BNA, .BOC, .BTD, .BZABW, .CHART, .CHORD, .CNM, .CRD, .CRWL, .CYI,
.DCA, .DGS, .DIZ, .DNE, .DOC, .DOCM, .DOCX, .DOCXML, .DOCZ, .DOT, .DOTM, .DOTX, .DSV,
.DVI, .DX, .EIO, .EIT, .EMAIL, .EMLX, .EPP, .ERR, .ETF, .ETX, .EUC, .FADEIN, .FAQ,
.FBL, .FCF, .FDF, .FDR, .FDS, .FDT, .FDX, .FDXT, .FES, .FFT, .FLR, .FODT, .FOUNTAIN,
.GTP, .FRT, .FWDN, .FXC, .GDOC, .GIO, .GPN, .GTHR, .GV, .HBK, .HHT, .HS, .HTC, .HWP,
.HZ, .IDX, .IIL, .IPF, .JARVIS, .JIS, .JOE, .JP1, .JRTF, .KES, .KLG, .KNT, .KON,
.KWD, .LATEX, .LBT, .LIS, .LIT, .LNT, .LP2, .LRC, .LST, .LTR, .LTX, .LUE, .LUF, .LWP,
.LXFML, .LYT, .LYX, .MAN, .MAP, .MBOX, .MD5TXT, .ME, .MELL, .MIN, .MNT, .MSG, .MWP,
.NFO, .NJX, .NOTES, .NOW, .NWCTXT, .NZB, .OCR, .ODM, .ODO, .ODT, .OFL, .OFT,
.OPENBSD, .ORT, .OTT, .P7S, .PAGES, .PFS, .PFX, .PJT, .PLANTUML, .PRT, .PSW, .PU,
.PVJ, .PVM, .PWI, .PWR, .QDL, .RAD, .README, .RFT, .RIS, .RNG, .RPT, .RST, .RT, .RTD,

```

-----

```
.RTF, .RTX, .RUN, .RZK, .RZN, .SAF, .SAFETEXT, .SAM, .SCC, .SCM, .SCRIV, .SCRIVX,
.SCW, .SDM, .SDOC, .SDW, .SGM, .SIG, .SKCARD, .SLA, .SLAGZ, .SLS, .SMF, .SMS, .SSA,
.STRINGS, .STW, .STY, .SUB, .SXG, .SXW, .TAB, .TDF, .TEXT, .THP, .TLB, .TM, .TMD,
.TMV, .TMX, .TPC, .TRELBY, .TVJ, .TXT, .U3D, .U3I, .UNAUTH, .UNX, .UOF, .UOT, .UPD,
.UTF8, .UNITY, .UTXT, .VCT, .VNT, .VW, .WBK, .WCF, .WEBDOC, .WGZ, .WN, .WP, .WP4,
.WP5, .WP6, .WP7, .WPA, .WPL, .WPS, .WPT, .WPW, .WRI, .WSC, .DXF, .EGC, .EP, .EPS,
.EPSF, .FH10, .FH11, .FH3, .FH4, .FH5, .FH6, .FH7, .FH8, .FIF, .FIG, .FMV, .FT10,
.FT11, .FT7, .FT8, .FT9, .FTN, .FXG, .GDRAW, .GEM, .GLOX, .GSD, .HPG, .HPGL, .HPL,
.IDEA, .IGT, .IGX, .IMD, .INK, .LMK, .MGCB, .MGMF, .MGMT, .MT9, .MGMX, .MGTX, .MMAT,
.MAT, .OTG, .OVP, .OVR, .PCS, .PFD, .PFV, .PL, .PLT, .VRML, .POBJ, .PSID, .RDL, .SCV,
.SK1, .SK2, .SLDDRT, .SNAGITSTAMPS, .SNAGSTYLES, .SSK, .STN, .SVF, .SVGZ, .SXD, .TLC,
.TNE, .UFR, .VBR, .VEC, .VML, .VSD, .VSDM, .VSDX, .VSTM, .STM, .VSTX, .WPG, .VSM,
.VAULT, .XAR, .XMIND, .XMMAP, .YAL, .ORF, .OTA, .OTI, .OZB, .OZJ, .OZT, .PAL, .PANO,
.PAP, .PBM, .PC1, .PC2, .PC3, .PCD, .PDD, .PE4, .PEF, .PFI, .PGF, .PGM, .PI1, .PI2,
.PI3, .PIC, .PICT, .PIX, .PJPEG, .PJPG, .PM, .PMG, .PNI, .PNM, .PNTG, .POP, .PP4,
.PP5, .PPM, .PRW, .PSDX, .PSE, .PSP, .PSPBRUSH, .PTG, .PTX, .PVR, .PX, .PXR, .PZ3,
.PZA, .PZP, .PZS, .Z3D, .QMG, .RAS, .RCU, .RGB, .RGF, .RIC, .RIFF, .RIX, .RLE, .RLI,
.RPF, .RRI, .RS, .RSB, .RSR, .RW2, .RWL, .S2MV, .SAI, .SCI, .SCT, .SEP, .SFC, .SFERA,
.SFW, .SKM, .SLD, .SOB, .SPA, .SPE, .SPH, .SPJ, .SPP, .SR2, .SRW, .STE, .SUMO, .SVA,
.SAVE, .SSFN, .T2B, .TB0, .TBN, .TEX, .TFC, .TG4, .THM, .QBI, .QBR, .CNT, .V30, .QBO,
.LGB, .QWC, .QBP, .AIF, .QBY, .1PA, .QPD, .SET, .ND, .RTP, .QBWIN, .LOG, .QBBACKUP,
.TMP, .TEMP1234, .QBT, .QBSDK, .SYNCMANAGERLOGGER, .ECML, .QSM, .QSS, .QST, .FX0,
.FX1, .MX0, .FPX, .FXR, .FIM, .BETTER_CALL_SAUL, .BREAKINGBAD, .HEISENBERG, .YTBL,
.WSD, .WSH, .WTX, .XBDOC, .XBPLATE, .XDL, .XLF, .XPS, .XWP, .XY3, .XYP, .XYW, .YBK,
.YML, .ZABW, .ZW, .2BP, .0, .36, .3FR, .411, .73I, .8XI, .9PNG, .ABM, .AFX, .AGIF,
.AGP, .AIC, .ALBM, .APD, .APM, .APS, .APX, .ARTWORK, .ARW, .ASW, .AVATAR, .BAY,
.BLKRT, .BM2, .BMP, .BMX, .BMZ, .BRK, .BRN, .BRT, .BSS, .BTI, .C4, .CAL, .CALS, .CAN,
.CD5, .CDC, .CDG, .CIMG, .CIN, .CIT, .COLZ, .CPC, .CPD, .CPG, .CPS, .CPX, .CR2, .CT,
.DC2, .DCR, .DDS, .DGT, .DIB, .DM3, .DMI, .VUE, .DPX, .WIRE, .DRZ, .DT2, .DTW, .DVL,
.ECW, .EIP, .ERF, .EXR, .FAL, .FAX, .FIL, .FPOS, .G3, .GCDP, .GFB, .GFIE, .GGR, .GIF,
.GIH, .GIM, .GMBCK, .GMSPR, .SPR, .SCAD, .GPD, .GRO, .GROB, .HDR, .HPI, .I3D, .ICN,
.ICPR, .IIQ, .INFO, .INT, .IPX, .ITC2, .IWI, .J, .J2C, .J2K, .JAS, .JB2, .JBIG,
.JBIG2, .JBMP, .JBR, .JFIF, .JIA, .JNG, .JPG2, .JPS, .JPX, .JTF, .JWL, .JXR, .KDC,
.KDI, .KDK, .KIC, .KPG, .LBM, .LJP, .MAC, .MBM, .MEF, .MNR, .MOS, .MPF, .MPO, .MRXS,
.MYL, .NCR, .NCT, .NLM, .NRW, .OC3, .WALLET, .OC4, .OC5, .OCI, .OMF, .OPLC, .AF2,
.AF3, .AI, .ART, .ASY, .CDMM, .CDMT, .CDMTZ, .CDMZ, .CDT, .CGM, .CMX, .CNV, .CSY,
.CV5, .CVG, .CVI, .CVS, .CVX, .CWT, .CXF, .DCS, .DED, .DESIGN, .DHS, .DPP, .DRW,
.DXB, .AFS, .GPG, .AES, .ARC, .PAQ, .TAR, .BZ2, .TGZ, .DJV, .CMD, .BAT, .BRD, .SCH,
.DCH, .DIP, .VBS, .MYI, .FRM, .ASC, .LAY6, .LAY, .MSLL, .DOCB, .MML, .UOP, .WKS,
.SLK, .XLC, .DIF, .HWP, .UOT, .PEM, .CSR

### Related Articles:

#### RIG Exploit Kit drops RedLine malware via Internet Explorer bug

 Indian airline SpiceJet's flights impacted by ransomware attack

 US Senate: Govt’s ransomware fight hindered by limited reporting

 New RansomHouse group sets up extortion market, adds first victims

 Ransomware attack exposes data of 500,000 Chicago students

```
[Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/)


-----

#### Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence s area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies.
 Previous Article Next Article

### Comments

[msm_ - 5 years ago](https://www.bleepingcomputer.com/forums/u/1034062/msm/)

#### Hi,

 &gt; While Revenge's predecessor encrypted 454 extensions, Revenge targets 1,237 extensions, which can be seen below:

 ...and you pasted list of 454 extensions. Pasted wrong list, or something is wrong?

 Other than that, great article! If what you wrote about RSA encryption is true, than goodbye crypto(mix|shield) decryptors.


-----

[Lawrence Abrams - 5 years ago](https://www.bleepingcomputer.com/author/lawrence-abrams/)

#### Thanks..Fixed. Also added database processes terminated by the ransomware.

[iskim7777777 - 5 years ago](https://www.bleepingcomputer.com/forums/u/986503/iskim7777777/)

#### Hi, May i ask you a question? I think there is typos in the article... hxxp://109.236.87.20/js/other_scripts/get.php (X) --&gt; hxxp://109.236.87.201/js/other_scripts/get.php (O)

 Thanks.


-----

[Lawrence Abrams - 5 years ago](https://www.bleepingcomputer.com/author/lawrence-abrams/)

#### Right you are. The 1 got cut off on copy/paste. Fixed. Thx

[aanchal - 5 years ago](https://www.bleepingcomputer.com/forums/u/1044717/aanchal/)

#### i have encrypted files but i m not able to decrypt them .. Its a video file with .exe extension and one large .ppvm file. I can share the link to you . So that anyone who wants to take it as a challenge can do it . Please message me inbox on facebook https://www.facebook.com/profile.php?id=100011575472967

[Post a Comment Community Rules](https://www.bleepingcomputer.com/posting-guidelines/)

You need to login in order to post a comment

#### Not a member yet? Register Now

### You may also like:


-----