Revon Ransomware
Malware threats are a dime a dozen these days, as it seems a day can’t pass without some new virus coming along. The Revon ransomware, a member of the Phobos family of ransomware, first appeared in the wild around the start of April 2020. The new threat isn’t that much different from the old ones; the purpose of the ransomware is to steal money from victims.
Table of Contents
What Does Revon Ransomware Do?
Once Revon works its way into a system, it changes the settings on the system to assume persistence and encrypts personal files using an AES encryption. The encryption process includes assigning the ".revon" file extension to files to make them inaccessible.
Once the process is complete, Revon creates and deposits two ransom notes. One is called info.fta, and the other is called info.txt. These ransom notes explain that the personal data on the computer has been locked. Victims should contact that by sending an email to werichibin@protonmail.com or werichbin.cock.li to negotiate a bitcoin payment for the decryption tool needed to decrypt data. While there is no public decryption key for Revon available, users should nevertheless avoid negotiating with hackers. There may be other ways to restore lost files.
As mentioned before, Revon falls under the Phobos family of ransomware. Phobos is among the most extensive ransomware families there is. Phobos itself is similar to Dharma. Both ransomware uses the same pattern of delivering ransom notes and uses many of the same features, such as encryption and decryption.
Revon Ransomware note
All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail werichbin@protonmail.com
Write this ID in the title of your message 1R74D44-2945
In case of no answer in 24 hours write us to this e-mail:werichbin@cock.li
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
How Does Revon Ransomware Spread?
Revon works much the same as other Phobos ransomware such as Dewar, Dever, and Razor. The ransomware is used against businesses and public entities primarily but is known to infect random users. Given that the virus mainly targets companies, it spreads mainly through vulnerabilities in Remote Desktop Connections. The threat actors behind the virus scan for vulnerable connections and then force their way on to the target computer. Revon can also spread through a range of other means, including:
- Spam emails
- Web injections
- Software cracks
- Malicious ads
- Other exploits
- Fake software updates
Malware like this can spread through Process Hacker 2, which is an open-source application used to monitor systems. Revon may be able to steal information from apps and browsers, including login credentials, on top of causing significant financial damage. This is why it is so important to remove the ransomware as quickly as possible – and take steps to prevent possible infections.
How to Undo the Damage Caused by Revon Ransomware
The Revon virus makes several changes to the Windows system before encrypting files. One of the first things it does is to delete Shadow Volume Copies. The command used to do this is "vssadmin delete shadows / all / quiet." This command makes it more difficult for users to recover their lost data by themselves. The virus also changes Windows registry keys to gain persistence on the machine, infects any external drives attached to the computer, and spreads across the network if possible.
It’s after all of this that Revon starts the encryption process. Data is encrypted with the use of a symmetric encryption algorithm AES. The encryption uses the same key to lock and unlock the files, with the key sent to the Command and Control (C2) server operated by the hackers.
It is this step that makes it possible for attackers to blackmail their victims. Users need the encryption key possessed by the hackers to decode their files. Even so, there have been many confirmed cases of people not receiving their decryption key after making the required payment. Security experts always recommend against contacting the attackers and meeting their demands because of this. There is no guarantee that victims will get their data back.
Given that there is currently no public decryption tool available, it’s recommended that you back up files before removing the ransomware. Doing this helps to prevent permanent data loss. Antivirus software and antimalware software can be used to eliminate the infection itself, and these tools can help to prevent initial infection. Keep in mind that restoring lost files without removing the virus is pointless, as restored files will just get encrypted again.
If you have ready-made backups of uninfected files, there’s no need to back up any locked data. In that case, you’ll want just to eliminate the virus quickly and restore your backed up data. Several tools can help to restore normal computer function once you’ve gotten rid of the infection.
Prevent Revon Infection
Given that the Revon ransomware can spread to network drives and connected devices, an infection could have drastic consequences. The best way to prevent these consequences from happening would be to avoid an infection in the first place. Keep up-to-date backups of all your most important data and have them saved in as many locations and remote servers as possible. Having cloud backups helps in the event of a virus that can spread to connected network drives as Revon can.
Unfortunately, having robust backups in place isn’t the same kind of protection that it once was. Many ransomware authors have taken to using stolen sensitive information to blackmail victims. The attackers threaten to publish this information publicly if they don’t get the money they demand. Not only does the attack cause data loss, but it could also mean sensitive data is compromised. There are currently no reports that this has happened with Revon yet, but there’s no telling what the future may bring.
As a personal user, take steps to prevent infections. Don’t interact with unsolicited and suspicious emails; avoid using third-party download websites, and keep all your software up to date. For businesses, be sure to teach anyone who has access to a computer the importance of good digital hygiene.
