Your IT Consultant

REvil Really is Evil

March 23, 2021

REvil Really is Evil

REvil is one nasty ransomware group. Bleeping Computer has reported that the REvil ransomware now has a Windows Safe Mode. For those that may not know, Safe Mode in Windows is typically used to run administrative and diagnostic tasks to fix a problem in the operating system. Safe Mode only loads a minimum amount of support and drivers to get the operating system going. This means that security software and protections aren’t typically available.

The new “feature” of REvil has an -smode command-line argument that forces the computer into Safe Mode prior to encrypting the device. REvil adds various RunOnce autorun entries in the Windows registry to force the Safe Mode with Networking reboot that can’t be stopped by the user. One of the entries is named ‘AstraZeneca.’ The registry entries are deleted at the end of the process and ultimately Windows boots to normal mode. This new capability of REvil is a little strange and requires the user to login to the device following booting to Safe Mode, which should raise some suspicions. No matter the reason, this is another example of the constant morphing of ransomware techniques to maximize their evil payload.

Email:  Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://www.linkedin.com/in/johnsimek
https://amazon.com/author/johnsimek
https://senseient.com