REvil Ransomware

What is REvil Ransomware?

REvil Ransomware is a computer infection that will try to push you into spending your money on a decryption key. This decryption key is supposedly necessary to restore your encrypted files. Although that is the common path of action when it comes to ransomware infections, computer security experts always maintain that paying for the decryption key is not the best choice. Users should remove REvil Ransomware instead without giving these criminals what they want. Scroll down to the bottom of this entry for the manual removal instructions. If necessary, get yourself a legitimate security tool to perform a full system scan.

Where does REvil Ransomware come from?

As it is common with ransomware infections, it is hard to pinpoint the exact malware distribution source or creator. If the infection is not very wide-spread or prominent, they honestly just come and go. What’s more, there are a lot of ransomware infections these days that target specific victims (especially as they mostly aim at taking down bigger business computer networks), so it is challenging to pin down every single custom infection.

You might find somewhere that REvil Ransomware is another version of Sodinokibi Ransomware. However, the truth is that it’s the same program. It’s just that the name Sodinokibi was taken from a randomly generated filename that was associated with the infection. Security research specialists say that REvil Ransomware is actually the proper name for this program, as it is taken from the malware internals.

Now, most of the ransomware programs are distributed via spam email attachments. However, REvil Ransomware employs a different tactic. Our research suggests that this program comes through corrupted RDP connection and vulnerability exploits. One of the exploits listed as a mean of REvil Ransomware distribution is the Oracle WebLogic CVE-2019-2725 exploit detected last May. The web server that has that vulnerability can be exploited to download and execute REvil Ransomware. It is also relatively easy to get access to the vulnerable server because it doesn’t require username and password.

In general, to avoid the likes of REvil Ransomware, you should be careful about the files you receive over your remote desktop client connection. Also, if a website you access suddenly downloads something onto your computer, you shouldn’t open it automatically. Please scan newly received files with a security tool before opening them. This way, you would definitely limit the ransomware infection potential.

What does REvil Ransomware do?

This malicious infection functions like most of the other ransomware applications out there. It means that it scans the system upon the infection and locates all the files it can encrypt. Judging on what we have found, REvil Ransomware can encrypt files in the following directories:

%USERPROFILE%\Favorites
%USERPROFILE%\Downloads
%USERPROFILE%\Desktop
%Homedrive%\Users\Default
%Homedrive%

Although most of the program and system files are located in the %Homedrive% directory, the infection doesn’t touch upon any of the SYS or BAT format files. It shows that REvil Ransomware retains your system files to keep your computer fully functional. It is not surprising because this infection still needs to collect the ransom.

Aside from encrypting your files, REvil Ransomware also deletes the Shadow Volume copies (provided they have been enabled prior to the infection). Quite a few ransomware programs aim at the Shadow Volume because they need to make sure you cannot restore your files, and the Shadow Volume would still allow you to do that, although regular users are seldom familiar with it.

The ransom note says that you need to use the TOR browser to access the website given by the criminals. It doesn’t say what else you are expected to do once you have opened the given link, but it is probably clear that the criminals would expect you to pay the ransom.

How do I remove REvil Ransomware?

Let’s make it clear here: paying the ransom is NOT an option. Your best bet would be restoring your files from a backup. If you have copies of your data on an external hard drive or a cloud drive, there shouldn’t be a problem. However, if you haven’t thought of backing up your files before, do not panic. Go through your mobile devices, your USB flash drives, and your inbox. You are very likely to find most of your recent files there. If necessary, get professional help to find out more about file recovery options.

Manual REvil Ransomware Removal

1. Delete the most recent files from Desktop.
2. Open the Downloads folder.
3. Delete the most recent files from the folder.
4. Press Win+R and the Run prompt will open.
5. Type %TEMP% into the Open box and click OK.
6. Remove the most recent files from the directory.
7. Scan your PC with SpyHunter and delete the ransom notes. Download Removal Tool100% FREE spyware scan and
   tested removal of REvil Ransomware*