When the Revenge Ransomware infiltrates a computer successfully, it will start its attack by generating a 16-character victim ID key. The encryption technique that the Revenge Ransomware relies on is similar to the one used by the CryptFile2 Ransomware and the CryptoShield Ransomware – an AES-256 key that is then encrypted with an embedded public RSA-1024 key. This makes the Revenge Ransomware’s encryption routine unbreakable practically and, unfortunately, it’s very unlikely that a free decryption utility will be available unless the authors decide to join the good side and release it on their own.
The Revenge Ransomware Uses a Fake Windows Defender Alert to Get Escalated Privileges
One peculiar thing about the Revenge Ransomware’s attack is that it uses a fake alert to convince the user to provide the crypto-threat with administrative privileges. To do this, the Revenge Ransomware spawns an alert box stating that ‘Windows Defender Virus and spyware definitions couldn’t be updated. Click Continue for recovery update soft.’ When the users opt to continue, they’ll see a UAC prompt linked to the command ‘C:\Windows\SysWOW64\wbem\WMIC.exe’ process call to create ‘%UserProfile%\a1x[r65r.exe.’ If the user authorizes this, then the Revenge Ransomware will take over the system and proceed to encrypt the files, change their names, and drop the ransom note. The naming pattern that the Revenge Ransomware uses also is rather peculiar – [16_hex_char_vicimt_id][16_hex_char_encrypted_filename][unknown_8_hex_char_string][8_char_encrypted_filename].REVENGE. It goes without saying that by doing this, the Revenge Ransomware ensures that victims will not be able to find out if they lost any valuable files during the attack easily, and this may motivate them to pay the ransom fee sooner. Another interesting feature of the Revenge Ransomware is that the author has added a script that identifies and terminates a list of processes associated with database servers automatically. This might be done to ensure that Revenge Ransomware will have access to database files, and will be able to encrypt them. Apart from taking additional measures to encrypt database files, the Revenge Ransomware targets over 1,200 unique types of files – for comparison, CryptFile2 and CryptoShield limited their targets to a bit over 400 types of files.
All of your files were encrypted using REVENGE Ransomware.
The action required to restore the files.
Your files are not lost, they can be returned to their normal state by decoding them.
The only way to do this is to get the software and your personal decryption key.
Using any other software that claims to be able to recover your files will result in corrupted or destroyed files.
You can purchase the software and the decryption key by sending us an email with your ID.
And we send instructions for payment .
After payment, you receive the software to return all files.
For proof, we can decrypt one file for free. Attach it to an e-mail.
Victims can find the attacker’s demands in the file called ‘# !!!HELP_FILE!!! #.txt,’ which is located in every folder that contains at least one encrypted file. The ransom sum that the Revenge Ransomware’s authors ask for is not specified and, instead, the ransom message tells victims to send a message to [email protected], [email protected], or [email protected], and to include their victim IDs in the email’s body. Paying the ransom fee is not recommended but, unfortunately, this is the only possible way to recover files locked by the Revenge Ransomware currently. However, users who are considering to co-operate with the attackers should keep in mind that the authors of the Revenge Ransomware don’t provide any guarantee that they’ll decrypt the files when the ransom payment is completed.