In addition to encrypting files, Revenge also encrypts databases, deletes Windows Shadow Volume copies, and attempts to run with administrative privileges via fake alerts and a User Account Control prompt.
The previous "Windows Defender" alert provides context that makes this prompt significantly less scary and suspicous than it might otherwise be if it had appeared out of the blue. Clicking "Yes" will allow the ransomware to be executed with administrative privileges, which can help it delete shadow volume copies and also enable additional access to more files and folders to encrypt.
Finally, Revenge drops a ransom note titled # !!!HELP_FILE!!! #.txt in every folder containing files it's encrypted.
The English version of the ransom note reads as follows:
All of your files were encrypted using REVENGE Ransomware.
The action required to restore the files.
Your files are not lost, they can be returned to their normal state by decoding them.
The only way to do this is to get the software and your personal decryption key.
Using any other software that claims to be able to recover your files will result in corrupted or destroyed files.
You can purchase the software and the decryption key by sending us an email with your ID.
And we send instructions for payment .
After payment, you receive the software to return all files.
For proof, we can decrypt one file for free. Attach it to an e-mail.
Whereas other prominent new ransomware variants like Spora are providing victims with increasingly slick payment portals, Revenge simply instructs its victims to send emails to receive payment instructions (potentially implying the authors behind Revenge don't have grand plans for mass distribution).
Email addresses have included variations of email@example.com, firstname.lastname@example.org, and email@example.com.
Revenge targets a whopping 1,237 types of file extensions.
Encrypted files are renamed with a unique 16 hexadecimal character ID for the victim, a unique 16 hexadecimal character ID for the file, and the extension .revenge.
Revenge encypts files using AES-256 encryption.
Revenge will also attempt to gain administrative privileges via a fake alert and User Access Prompt.
Like other ransomware, Revenge will attempt to delete Shadow Volume Copies to make recovering encrypted data more difficult.
Victims are directed to send emails to provided addesses to receive payment instructions.
Unfortunately, at this time there is no free decryption tool availalble for Revenge.
Stopping Revenge with Barkly's Runtime Malware Defense
Barkly utilizes runtime malware defense (RMD) to stop Revenge ransomware infections before files are encrypted or any other damage is done (see it in action in the video above). By monitoring activity across mulitple layers of the system in real-time, Barkly can see when malware like Revenge is attempting to gain execution by suspicious means and stop it before it does.
Why blocking malware during runtime matters
By detecting and blocking malicious behaviors in real-time, Barkly is able to stop malware regardless of how well it was disguised. It may be a brand new variant that no AVs have signatures for, or it may utilize fileless techniques to bypass file scanning altogether. It doesn't matter. Once it tries to do something malicious, Barkly sees it and stops it.
That gives organizations crucial protection they're currently missing — another opportunity to block an attack even after a user has mistakenly opened an infected document, visited an malicious website, etc., and even after it's bypassed their AV.