{ "id": "d6ab25ed-be7b-4a9c-ba25-de4e29be2276", "created_at": "2026-04-06T00:19:10.33158Z", "updated_at": "2026-04-10T03:36:07.876076Z", "deleted_at": null, "sha1_hash": "dda400730834a2c6bec118cb885122dd2fb5fa41", "title": "Changes in REvil ransomware version 2.2", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 42282, "plain_text": "Changes in REvil ransomware version 2.2\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 14:18:00 UTC\r\nBy the Intel 471 Malware Intelligence team.\r\nSummary\r\nThe REvil ransomware-as-a-service (RaaS) operation continues to impact businesses worldwide. The threat actors\r\nresponsible for developing and maintaining the malware have released an updated ransomware, namely version\r\n2.2. In this short blog post, we will cover the significant changes from the previous version, which we covered in\r\ndetail in an earlier blog post (see: https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/).\r\nPersistence mechanism\r\nREvil ransomware persists on a machine if the arn configuration field is set to true. It writes its path to the\r\nregistry key SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run. An example of the value name of the\r\nregistry key entry is mjOObKp0yy.\r\nrevil\r\nIn version 2.1, first collected by our systems March 15, 2020, this persistence mechanism was removed. It seems\r\nthis little experiment didn’t go as planned, because the new version 2.2 brings the same persistence mechanism\r\nback!\r\nRestart Manager to terminate processes\r\nOne of the more interesting new features of REvil version 2.2 is the use of the Windows Restart Manager to\r\nterminate processes and services that can lock files targeted for encryption. If a process has an open file handle for\r\na specific file, then writes to that file by another process (in this case, a ransomware) it will be prevented by the\r\nWindows operating system (OS). To circumvent this, the REvil developers have implemented a technique using\r\nthe Windows Restart Manager also used by other ransomware such as SamSam and LockerGoga (see:\r\nhttps://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/).\r\nREvil ransomware opens files for encryption with no sharing (dwShareMode equals 0). As a result, the Restart\r\nManager is invoked whenever a sharing violation occurs when opening an already opened file.\r\npasted image 0 6\r\nThe function prototype for rvl_restart_manager is:\r\nVOID rvl_restart_manager(LPCWSTR Filename, BOOL DoEndSession)\r\nhttps://intel471.com/blog/changes-in-revil-ransomware-version-2-2\r\nPage 1 of 2\n\nThe following explains how REvil employs this technique:\r\nCall OpenSCManagerW to open the “ServicesActive” database.\r\nStart a new Restart Manager session by calling RmStartSession and save the returned handle in a global\r\nvariable for future calls.\r\nInvoke RmRegisterResources with the target file name to register it to the Restart Manager session.\r\nRetrieve the list of all applications currently using the file by calling RmGetList. This application\r\nprogramming interface (API) returns an array of RM_PROCESS_INFO structures.\r\nIf a normal process is using the file, it is terminated by a call to TerminateProcess.\r\nIf a service is encountered, ControlService is invoked with the SERVICE_CONTROL_STOP control\r\ncode to stop the service followed by a call to DeleteService.\r\nIf a critical process is encountered, its critical status is removed by calling ZwSetInformationProcess with\r\nthe information class ProcessBreakOnTermination before terminating it. This may lead to undefined\r\nbehavior on the victim system.\r\nNew ‘-silent’ flag\r\nA new command-line option -silent was added that skips termination of blacklisted processes, services and\r\nshadow copy deletion. However, this flag does not impact the new Restart Manager functionality.\r\npasted image 0 7\r\nIndicators of compromise\r\nScreen Shot 2020 09 03 at 11.48.30 am\r\nSource: https://intel471.com/blog/changes-in-revil-ransomware-version-2-2\r\nhttps://intel471.com/blog/changes-in-revil-ransomware-version-2-2\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://intel471.com/blog/changes-in-revil-ransomware-version-2-2" ], "report_names": [ "changes-in-revil-ransomware-version-2-2" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4116df25-aff6-46ee-a5dd-926254a78e89", "created_at": "2023-01-06T13:46:38.894033Z", "updated_at": "2026-04-10T02:00:03.137353Z", "deleted_at": null, "main_name": "BOSS SPIDER", "aliases": [ "GOLD LOWELL" ], "source_name": "MISPGALAXY:BOSS SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1b20199b-07ae-42f1-ad22-bbe2dd471df8", "created_at": "2024-06-04T02:03:07.872554Z", "updated_at": "2026-04-10T02:00:03.613698Z", "deleted_at": null, "main_name": "GOLD LOWELL", "aliases": [ "Boss Spider ", "CTG-0007 " ], "source_name": "Secureworks:GOLD LOWELL", "tools": [ "Samas" ], "source_id": "Secureworks", "reports": null }, { "id": "eb8697fd-882a-4323-9eb8-8e20222cfd91", "created_at": "2022-10-25T16:07:23.416834Z", "updated_at": "2026-04-10T02:00:04.589943Z", "deleted_at": null, "main_name": "Boss Spider", "aliases": [ "Boss Spider", "CTG-0007", "Gold Lowell" ], "source_name": "ETDA:Boss Spider", "tools": [ "Mimikatz", "PsExec", "SDelete", "SamSam", "Samas" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434750, "ts_updated_at": 1775792167, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dda400730834a2c6bec118cb885122dd2fb5fa41.pdf", "text": "https://archive.orkl.eu/dda400730834a2c6bec118cb885122dd2fb5fa41.txt", "img": "https://archive.orkl.eu/dda400730834a2c6bec118cb885122dd2fb5fa41.jpg" } }