Revenge Ransomware

The Revenge Ransomware is a variant of CryptoMix and CryptFile2. The Revenge Ransomware is being distributed using the RIG Exploit Kit, and being installed on the victims' computers automatically. In most cases, the Revenge Ransomware will be installed after the victim is redirected to a website that has been compromised with the RIG Exploit Kit. Victims are directed to those pages using corrupted Java scripts that attempt to leverage various vulnerabilities to install the Revenge Ransomware on the victims' computers immediately.

Enduring Revenge Due to Being a Computer User

Once the Revenge Ransomware has entered the victim's computer, it will create a unique ID for the victim's computer. The Revenge Ransomware seems to be engineered to target databases, making it particularly destructive when it comes to enterprise networks and Web servers. To ensure that the Revenge Ransomware has access to databases to encrypt their data, one of the first things the Revenge Ransomware does during its attack is terminate the following processes, which are associated with databases:

msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, mydesktopqos.exe, agntsvc.exeisqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exeagntsvc.exe, agntsvc.exeencsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe.

After terminating these processes, the Revenge Ransomware will scan the victim's computer for files with 1237 different extensions. The Revenge Ransomware uses the AES-256 encryption to encrypt all files it finds with the extensions in its configuration file. The Revenge Ransomware renames all affected files following the format [16_hex_char_vicimt_id][16_hex_char_encrypted_filename][unknown_8_hex_char_string][8_char_encrypted_filename].REVENGE. After encrypting the victim's files, the Revenge Ransomware creates ransom notes in each directory where files were encrypted. These ransom notes are text files named '# !!!HELP_FILE!!! #.txt,' which contain the following text in various languages (depending on the geographical location of the infected computer):

'===ENGLISH===
All of your files were encrypted using the Revenge Ransomware.
The action required to restore the files.
Your files are not lost, they can be returned to their normal state by decoding them.
The only way to do this is to get the software and your personal decryption key.
Using any other software that claims to be able to recover your files will result in corrupted or destroyed files.
You can purchase the software and the decryption key by sending us an email with your ID.
And we send instructions for payment .
After payment, you receive the software to return all files.
For proof, we can decrypt one file for free. Attach it to an e-mail.

===POLISH===
Wszystkie pliki zostały zaszyfrowane przy użyciu REVENGE szkodnika.
Konieczne działania w celu przywrócenia plików.
Pliki nie są tracone, mogą one zostać zwrócone do swojego normalnego stanu poprzez ich dekodowania.
Jedynym sposobem na to jest, aby oprogramowanie i swój osobisty klucz deszyfrowania.
Korzystanie z innego oprogramowania, które twierdzi, że jest w stanie odzyskać pliki spowoduje uszkodzonych lub zniszczonych plików.
Można kupić oprogramowanie i klucz deszyfrowania wysyłając do nas e-maila z ID.
A my wyślemy instrukcje dotyczące płatności.
Po dokonaniu płatności otrzymasz oprogramowanie do zwrotu plików.
W celu udowodnienia, że możemy odszyfrować plik. Dołączyć go do wiadomości e-mail.'

Dealing with the Revenge Ransomware Infection

To deal with the Revenge Ransomware and similar threats, PC security researchers strongly advise computer users to take preventive measures. It is essential to ensure that your computer is properly protected with strong passwords and reliable security software. However, since threats like the Revenge Ransomware may bypass strong defenses (especially when caused by human error), malware researchers advise computer users to have backups of all files. If computer users can recover their files from a backup copy, then the people responsible for the Revenge Ransomware attack lose all the leverage that allows them to trick the victim and demand a ransom payment.

The Revenge Ransomware will encrypt the following file types:

.3G2, .3GP, .7Z, .AB4, .ACH, .ADB, .ADS, .AIT, .AL, .APJ, .ASF, .ASM, .ASP, .ASX, .BACK, .BANK, .BGT, .BIK, .BKF, .BKP, .BPW, .C, .CDF, .CDR, .CDX, .CE1, .CE2, .ODF, .ODG, .ODP, .ODS, .OIL, .ONE, .OTH, .OTP, .OTS, .P12, .P7B, .P7C, .PAS, .PAT, .PBO, .PCT, .PHP, .PIP, .PLC, .POT, .POTM, .POTX, .PPAM, .PPS, .PPSM, .PPSX, .PRF, .PSAFE3, .PSPIMAGE, .PUB, .PUZ, .PY, .QBA, .QBW, .R3D, .RAF, .RAR, .RAT, .RM, .RWZ, .SAS7BDAT, .SAY, .SD0, .SDA, .SNP, .SRF, .SRT, .ST4, .ST5, .ST6, .ST7, .ST8, .STC, .STD, .STI, .STX, .SXC, .SXI, .SXM, .VOB, .VSX, .VTX, .WAV, .WB2, .WLL, .WMV, .WPD, .X11, .XLA, .XLAM, .XLB, .XLL, .XLM, .XLR, .XLSB, .XLT, .XLTM, .XLTX, .M4A, .WMA, .D3DBSP, .XLW, .XPP, .XSN, .YUV, .ZIP, .SIE, .UNREC, .SCAN, .SUM, .T13, .T12, .QDF, .TAX, .PKPASS, .BC6, .BC7, .SIDN, .SIDD, .MDDATA, .ITL, .ICXS, .HVPL, .HPLG, .HKDB, .MDBACKUP, .SYNCDB, .GHO, .CAS, .WMO, .ITM, .SB, .FOS, .MOV, .VDF, .ZTMP, .SIS, .SID, .NCF, .MENU, .LAYOUT, .DMP, .BLOB, .ESM, .VCF, .VTF, .DAZIP, .FPK, .MLX, .KF, .IWD, .VPK, .TOR, .PSK, .RIM, .W3X, .FSH, .NTL, .ARCH00, .LVL, .SNX, .CFR, .FF, .VPP_PC, .LRF, .M2, .MCMETA, .VFS0, .MPQGE, .DB0, .DBA, .ROFL, .HKX, .BAR, .UPK, .DAS, .LITEMOD, .ASSET, .FORGE, .BSA, .APK, .RE4, .LBF, .SLM, .EPK, .RGSS3A, .PAK, .BIG, .WALLET, .WOTREPLAY, .XXX, .DESC, .M3U, .JS, .RB, .1CD, .DBF, .DT, .CF, .CFU, .MXL, .EPF, .KDBX, .VRP, .GRS, .GEO, .ST, .PFF, .MFT, .EFD, .3DM, .3DS, .RIB, .MA, .SLDASM, .SLDPRT, .MAX, .BLEND, .LWO, .LWS, .M3D, .MB, .OBJ, .X, .X3D, .MOVIE, .BYU, .C4D, .FBX, .DGN, .DWG, .4DB, .4DL, .4MP, .ABS, .ACCDB, .ACCDC, .ACCDE, .ACCDR, .ACCDT, .ACCDW, .ACCFT, .ADN, .A3D, .ADP, .AFT, .AHD, .ALF, .ASK, .AWDB, .AZZ, .BDB, .BND, .BOK, .THUMB, .TJP, .TM2, .TN, .TPI, .UFO, .UGA, .USERTILE-MS, .VDA, .VFF, .VPE, .VST, .WB1, .WBC, .WBD, .WBM, .WBMP, .WBZ, .WDP, .WEBP, .WPB, .WPE, .WVL, .X3F, .Y, .YSP, .ZIF, .CDR4, .CDR6, .CDRW, .JPEG, .DJVU, .PDF, .DDOC, .CSS, .PPTM, .RAW, .CPT, .JPG, .JPE, .JP2, .PCX, .PDN, .PNG, .PSD, .TGA, .TIFF, .TIF, .HDP, .XPM, .AI, .PS, .WMF, .EMF, .ANI, .APNG, .FLC, .FB2, .FB3, .FLI, .MNG, .SMIL, .SVG, .MOBI, .SWF, .HTML, .XLS, .XLSX, .XLSM, .XHTM, .MRWREF, .XF, .PST, .BD, .GZ, .MKV, .XML, .XMLX, .DAT, .MCL, .MTE, .CFG, .MP3, .BTR, .BAK, .BACKUP, .CDB, .CKP, .CLKW, .CMA, .DACONNECTIONS, .DACPAC, .DAD, .DADIAGRAMS, .DAF, .DASCHEMA, .DB, .DB-SHM, .DB-WAL, .DB2, .DB3, .DBC, .DBK, .DBS, .DBT, .DBV, .DBX, .DCB, .DCT, .DCX, .DDL, .DF1, .DMO, .DNC, .DP1, .DQY, .DSK, .DSN, .DTA, .DTSX, .DXL, .ECO, .ECX, .EDB, .EMD, .EQL, .FCD, .FDB, .FIC, .FID, .FM5, .FMP, .FMP12, .FMPSL, .FOL, .FP3, .FP4, .FP5, .FP7, .FPT, .FZB, .FZV, .GDB, .GWI, .HDB, .HIS, .IB, .IDC, .IHX, .ITDB, .ITW, .JTX, .KDB, .LGC, .MAQ, .MDB, .MDBHTML, .MDF, .MDN, .MDT, .MRG, .MUD, .MWB, .S3M, .MYD, .NDF, .NS2, .NS3, .NS4, .NSF, .NV2, .NYF, .OCE, .ODB, .OQY, .ORA, .ORX, .OWC, .OWG, .OYX, .P96, .P97, .PAN, .PDB, .PDM, .PHM, .PNZ, .PTH, .PWA, .QPX, .QRY, .QVD, .RCTD, .RDB, .RPD, .CER, .CFP, .CLASS, .CLS, .CMT, .CPI, .CPP, .CRAW, .CRT, .CRW, .CS, .CSH, .CSL, .CSV, .DAC, .DBR, .DDD, .DER, .DES, .DGC, .DNG, .DRF, .K2P, .DTD, .DXG, .EBD, .EML, .EXF, .FFD, .FFF, .FH, .FHD, .FLA, .FLAC, .FLV, .FM, .GRAY, .GREY, .GRW, .GRY, .H, .HPP, .IBD, .IIF, .INDD, .JAVA, .KEY, .LACCDB, .LUA, .M, .M4V, .MAF, .MAM, .MAR, .MAW, .MDC, .MDE, .MFW, .MMW, .MP4, .MPG, .MPP, .MRW, .MSO, .NDD, .NEF, .NK2, .NSD, .NSG, .NSH, .NWB, .NX1, .NX2, .ODC, .RSD, .SBF, .SDB, .SDF, .SPQ, .SQB, .STP, .SQL, .SQLITE, .SQLITE3, .SQLITEDB, .STR, .TCX, .TDT, .TE, .TEACHER, .TRM, .UDB, .USR, .V12, .VDB, .VPD, .WDB, .WMDB, .XDB, .XLD, .XLGC, .ZDB, .ZDC, .CDR3, .PPT, .PPTX, .1ST, .ABW, .ACT, .AIM, .ANS, .APT, .ASCII, .ASE, .ATY, .AWP, .AWT, .AWW, .BBS, .BDP, .BDR, .BEAN, .BIB, .BNA, .BOC, .BTD, .BZABW, .CHART, .CHORD, .CNM, .CRD, .CRWL, .CYI, .DCA, .DGS, .DIZ, .DNE, .DOC, .DOCM, .DOCX, .DOCXML, .DOCZ, .DOT, .DOTM, .DOTX, .DSV, .DVI, .DX, .EIO, .EIT, .EMAIL, .EMLX, .EPP, .ERR, .ETF, .ETX, .EUC, .FADEIN, .FAQ, .FBL, .FCF, .FDF, .FDR, .FDS, .FDT, .FDX, .FDXT, .FES, .FFT, .FLR, .FODT, .FOUNTAIN, .GTP, .FRT, .FWDN, .FXC, .GDOC, .GIO, .GPN, .GTHR, .GV, .HBK, .HHT, .HS, .HTC, .HWP, .HZ, .IDX, .IIL, .IPF, .JARVIS, .JIS, .JOE, .JP1, .JRTF, .KES, .KLG, .KNT, .KON, .KWD, .LATEX, .LBT, .LIS, .LIT, .LNT, .LP2, .LRC, .LST, .LTR, .LTX, .LUE, .LUF, .LWP, .LXFML, .LYT, .LYX, .MAN, .MAP, .MBOX, .MD5TXT, .ME, .MELL, .MIN, .MNT, .MSG, .MWP, .NFO, .NJX, .NOTES, .NOW, .NWCTXT, .NZB, .OCR, .ODM, .ODO, .ODT, .OFL, .OFT, .OPENBSD, .ORT, .OTT, .P7S, .PAGES, .PFS, .PFX, .PJT, .PLANTUML, .PRT, .PSW, .PU, .PVJ, .PVM, .PWI, .PWR, .QDL, .RAD, .README, .RFT, .RIS, .RNG, .RPT, .RST, .RT, .RTD, .RTF, .RTX, .RUN, .RZK, .RZN, .SAF, .SAFETEXT, .SAM, .SCC, .SCM, .SCRIV, .SCRIVX, .SCW, .SDM, .SDOC, .SDW, .SGM, .SIG, .SKCARD, .SLA, .SLAGZ, .SLS, .SMF, .SMS, .SSA, .STRINGS, .STW, .STY, .SUB, .SXG, .SXW, .TAB, .TDF, .TEXT, .THP, .TLB, .TM, .TMD, .TMV, .TMX, .TPC, .TRELBY, .TVJ, .TXT, .U3D, .U3I, .UNAUTH, .UNX, .UOF, .UOT, .UPD, .UTF8, .UNITY, .UTXT, .VCT, .VNT, .VW, .WBK, .WCF, .WEBDOC, .WGZ, .WN, .WP, .WP4, .WP5, .WP6, .WP7, .WPA, .WPL, .WPS, .WPT, .WPW, .WRI, .WSC, .DXF, .EGC, .EP, .EPS, .EPSF, .FH10, .FH11, .FH3, .FH4, .FH5, .FH6, .FH7, .FH8, .FIF, .FIG, .FMV, .FT10, .FT11, .FT7, .FT8, .FT9, .FTN, .FXG, .GDRAW, .GEM, .GLOX, .GSD, .HPG, .HPGL, .HPL, .IDEA, .IGT, .IGX, .IMD, .INK, .LMK, .MGCB, .MGMF, .MGMT, .MT9, .MGMX, .MGTX, .MMAT, .MAT, .OTG, .OVP, .OVR, .PCS, .PFD, .PFV, .PL, .PLT, .VRML, .POBJ, .PSID, .RDL, .SCV, .SK1, .SK2, .SLDDRT, .SNAGITSTAMPS, .SNAGSTYLES, .SSK, .STN, .SVF, .SVGZ, .SXD, .TLC, .TNE, .UFR, .VBR, .VEC, .VML, .VSD, .VSDM, .VSDX, .VSTM, .STM, .VSTX, .WPG, .VSM, .VAULT, .XAR, .XMIND, .XMMAP, .YAL, .ORF, .OTA, .OTI, .OZB, .OZJ, .OZT, .PAL, .PANO, .PAP, .PBM, .PC1, .PC2, .PC3, .PCD, .PDD, .PE4, .PEF, .PFI, .PGF, .PGM, .PI1, .PI2, .PI3, .PIC, .PICT, .PIX, .PJPEG, .PJPG, .PM, .PMG, .PNI, .PNM, .PNTG, .POP, .PP4, .PP5, .PPM, .PRW, .PSDX, .PSE, .PSP, .PSPBRUSH, .PTG, .PTX, .PVR, .PX, .PXR, .PZ3, .PZA, .PZP, .PZS, .Z3D, .QMG, .RAS, .RCU, .RGB, .RGF, .RIC, .RIFF, .RIX, .RLE, .RLI, .RPF, .RRI, .RS, .RSB, .RSR, .RW2, .RWL, .S2MV, .SAI, .SCI, .SCT, .SEP, .SFC, .SFERA, .SFW, .SKM, .SLD, .SOB, .SPA, .SPE, .SPH, .SPJ, .SPP, .SR2, .SRW, .STE, .SUMO, .SVA, .SAVE, .SSFN, .T2B, .TB0, .TBN, .TEX, .TFC, .TG4, .THM, .QBI, .QBR, .CNT, .V30, .QBO, .LGB, .QWC, .QBP, .AIF, .QBY, .1PA, .QPD, .SET, .ND, .RTP, .QBWIN, .LOG, .QBBACKUP, .TMP, .TEMP1234, .QBT, .QBSDK, .SYNCMANAGERLOGGER, .ECML, .QSM, .QSS, .QST, .FX0, .FX1, .MX0, .FPX, .FXR, .FIM, .BETTER_CALL_SAUL, .BREAKINGBAD, .HEISENBERG, .YTBL, .WSD, .WSH, .WTX, .XBDOC, .XBPLATE, .XDL, .XLF, .XPS, .XWP, .XY3, .XYP, .XYW, .YBK, .YML, .ZABW, .ZW, .2BP, .0, .36, .3FR, .411, .73I, .8XI, .9PNG, .ABM, .AFX, .AGIF, .AGP, .AIC, .ALBM, .APD, .APM, .APS, .APX, .ARTWORK, .ARW, .ASW, .AVATAR, .BAY, .BLKRT, .BM2, .BMP, .BMX, .BMZ, .BRK, .BRN, .BRT, .BSS, .BTI, .C4, .CAL, .CALS, .CAN, .CD5, .CDC, .CDG, .CIMG, .CIN, .CIT, .COLZ, .CPC, .CPD, .CPG, .CPS, .CPX, .CR2, .CT, .DC2, .DCR, .DDS, .DGT, .DIB, .DM3, .DMI, .VUE, .DPX, .WIRE, .DRZ, .DT2, .DTW, .DVL, .ECW, .EIP, .ERF, .EXR, .FAL, .FAX, .FIL, .FPOS, .G3, .GCDP, .GFB, .GFIE, .GGR, .GIF, .GIH, .GIM, .GMBCK, .GMSPR, .SPR, .SCAD, .GPD, .GRO, .GROB, .HDR, .HPI, .I3D, .ICN, .ICPR, .IIQ, .INFO, .INT, .IPX, .ITC2, .IWI, .J, .J2C, .J2K, .JAS, .JB2, .JBIG, .JBIG2, .JBMP, .JBR, .JFIF, .JIA, .JNG, .JPG2, .JPS, .JPX, .JTF, .JWL, .JXR, .KDC, .KDI, .KDK, .KIC, .KPG, .LBM, .LJP, .MAC, .MBM, .MEF, .MNR, .MOS, .MPF, .MPO, .MRXS, .MYL, .NCR, .NCT, .NLM, .NRW, .OC3, .WALLET, .OC4, .OC5, .OCI, .OMF, .OPLC, .AF2, .AF3, .AI, .ART, .ASY, .CDMM, .CDMT, .CDMTZ, .CDMZ, .CDT, .CGM, .CMX, .CNV, .CSY, .CV5, .CVG, .CVI, .CVS, .CVX, .CWT, .CXF, .DCS, .DED, .DESIGN, .DHS, .DPP, .DRW, .DXB, .AFS, .GPG, .AES, .ARC, .PAQ, .TAR, .BZ2, .TGZ, .DJV, .CMD, .BAT, .BRD, .SCH, .DCH, .DIP, .VBS, .MYI, .FRM, .ASC, .LAY6, .LAY, .MSLL, .DOCB, .MML, .UOP, .WKS, .SLK, .XLC, .DIF, .HWP, .UOT, .PEM, .CSR.

Update December 10th, 2018 — '.SYS File Extension' Ransomware

The '.SYS File Extension' Ransomware is an encryption ransomware Trojan that was first observed in the second week of December 2018. The '.SYS File Extension' Ransomware, like most encryption ransomware Trojans, takes the victims' files hostage to justify a demand of a ransom payment. To do this, the '.SYS File Extension' Ransomware uses a strong encryption algorithm to make the files inaccessible, and replace the files' names with a hexadecimal string of sixteen characters with the file extension '.SYS.' The '.SYS File Extension' Ransomware demands its ransom payment in the form of a text file named '_HELP_INSTRUCTION.TXT,' which contains a ransom demand.

How the '.SYS File Extension' Ransomware Attacks Your Files

The victims of the '.SYS File Extension' Ransomware attack will find that their files have been taken hostage. Threats like the '.SYS File Extension' Ransomware typically targets the user-generated files, which may include files with the following file extensions:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

The '.SYS File Extension' Ransomware uses a strong file encryption method, which cannot be cracked with current technology. However, PC security researchers advise PC users to refrain from negotiating with the criminals responsible for the attack or paying any ransom linked to the '.SYS File Extension' Ransomware.

Dealing with the '.SYS File Extension' Ransomware Infection

The full text of the '.SYS File Extension' Ransomware ransom note, contained in a text file dropped on the infected computer reads:

'Hello!
Attention! All Your data was encrypted!
For specific informartion, please send us an email with Your ID number:
leab@tuta.io
itprocessor@protonmail.com
pcambulance1@protonmail.com
leablossom@yandex.com
blossomlea@yandex.com
leablossom@dr.com
Please send email to all email addresses! We will help You as soon as possible!
IMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!
DECRYPT-ID-'

Computer users are instructed to ignore the instructions in this ransom note and avoid contacting the criminals via any of the provided email addresses. The best way to deal with a '.SYS File Extension' Ransomware infection is to replace any compromised data from a backup copy. Generally, computer users should have backup copies of all their data stored by trusted services. Having access to backups is the best way to ensure that the data is safe in the event of an attack. Apart from having file backups that can be used to restore any compromised data, PC security researchers strongly advise computer users to use a security program to monitor their PCs and prevent infections like the '.SYS File Extension' Ransomware from taking hold.