The latest version of REvil ransomware brings about significant changes from the last released version. REvil and RaaS. Version 2.2 boasts a new persistence mechanism that is implemented if the arn configuration field is set to true. If it is, a path is written to the registry key SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Version 2.1 did not contain this mechanism. Additionally, version 2.2 makes use of the Windows Restart Manager to terminate any services that may lock files identified for encryption. REvil developers implemented strategies used by other ransomware such as SamSam and LockerGoga to perform this operation. Should a file be open when attempting to encrypt it, a sharing violation will occur, triggering the Restart Manager. Also among the changes is a new -silent flag that skips termination of blacklisted processes, services, and shadow copy deletion. It does not, however, impact the Restart Manager functionality.
|Block all threat indicators at your respective controls.|
Always be suspicious about emails sent by unknown senders.
Never click on the links/attachments sent by unknown senders.