Barkly vs Malware
Barkly Research
Apr 2017

Blocking Revenge Ransomware During Runtime

Files encrypted by Revenge ransomware / Bleeping Computer

Revenge is a new variant of CryptoMix ransomware gaining traction via the RIG exploit kit. See how Barkly prevents Revenge from encrypting files by stopping it during runtime.

Revenge Ransomware Overview

Revenge was first spotted in March 2017 being delivered via the RIG exploit kit. As Bleeping Computer's Lawrence Abrams points out in his write-up, Revenge is a new variant of the CryptoMix ransomware family, with similarities to another CryptoMix variant called CryptoShield.

In addition to encrypting files, Revenge also encrypts databases, deletes Windows Shadow Volume copies, and attempts to run with administrative privileges via fake alerts and a User Account Control prompt.

Fake alert window from Revenge Ransomware

Bleeping Computer

During the infection process, victims will encounter a fake Windows Defender alert (shown above). Pressing continue will initiate the User Access Prompt shown below.

Revenge Ransomware's User Access Prompt

Bleeping Computer

The previous "Windows Defender" alert provides context that makes this prompt significantly less scary and suspicous than it might otherwise be if it had appeared out of the blue. Clicking "Yes" will allow the ransomware to be executed with administrative privileges, which can help it delete shadow volume copies and also enable additional access to more files and folders to encrypt.

Finally, Revenge drops a ransom note titled # !!!HELP_FILE!!! #.txt in every folder containing files it's encrypted.

Revenge Ransomware's ransom note

Bleeping Computer

The English version of the ransom note reads as follows:

 All of your files were  encrypted using REVENGE Ransomware.
 The action required to restore the files.
 Your files are not lost, they can be returned to their normal state by decoding them.
 The only way to do this is to get the software and your personal decryption key.
 Using any other software that claims to be able to recover your files will result in corrupted or destroyed files.
 You can purchase the software and the decryption key by sending us an email with your ID.
 And we send instructions for  payment .
 After payment, you receive the software to return all files.
 For proof, we can decrypt one file for free. Attach it to an e-mail.

Whereas other prominent new ransomware variants like Spora are providing victims with increasingly slick payment portals, Revenge simply instructs its victims to send emails to receive payment instructions (potentially implying the authors behind Revenge don't have grand plans for mass distribution).

Email addresses have included variations of,, and

Quick Facts

  • Revenge targets a whopping 1,237 types of file extensions.
  • Encrypted files are renamed with a unique 16 hexadecimal character ID for the victim, a unique 16 hexadecimal character ID for the file, and the extension .revenge.
  • Revenge encypts files using AES-256 encryption.
  • Revenge will also attempt to gain administrative privileges via a fake alert and User Access Prompt.
  • Like other ransomware, Revenge will attempt to delete Shadow Volume Copies to make recovering encrypted data more difficult.
  • Victims are directed to send emails to provided addesses to receive payment instructions.
  • Unfortunately, at this time there is no free decryption tool availalble for Revenge.

How Revenge is Being Delivered

Exploit kits: Researchers have spotted Revenge being primarily spread via RIG exploit kits.

Stopping Revenge with Barkly's Runtime Malware Defense

Barkly utilizes runtime malware defense (RMD) to stop Revenge ransomware infections before files are encrypted or any other damage is done (see it in action in the video above). By monitoring activity across mulitple layers of the system in real-time, Barkly can see when malware like Revenge is attempting to gain execution by suspicious means and stop it before it does.

Why blocking malware during runtime matters

By detecting and blocking malicious behaviors in real-time, Barkly is able to stop malware regardless of how well it was disguised. It may be a brand new variant that no AVs have signatures for, or it may utilize fileless techniques to bypass file scanning altogether. It doesn't matter. Once it tries to do something malicious, Barkly sees it and stops it.

That gives organizations crucial protection they're currently missing — another opportunity to block an attack even after a user has mistakenly opened an infected document, visited an malicious website, etc., and even after it's bypassed their AV.

Learn more about how RMD works here.

Barkly Research

Barkly Research

Barkly's malware research team is hard at work stopping new malware that sneaks past antivirus.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.