Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


.REVENGE File Virus Remove and Restore Files

Article created to help you remove the Revenge ransomware virus and restore files encrypted with the .revenge file extension.

A well-coded ransomware infection that is using the AES and RSA encryption algorithms has been reported to infect users since March 2017. The ransomware virus Is dubbed Revenge ransomware and aims to encrypt the files on the computers infected by it. After the encryption, Revenge ransomware drops a # !!!HELP_FILE!!! #.TXT note in which it demands a payment to return all the files. The virus creators communicate via e-mail. In case you have become a victim of this ransomware infection, recommendations are to read this article completely.

Threat Summary

Name

Revenge

Type Ransomware
Short Description The malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
Symptoms The user may witness ransom notes and “instructions” linking to a web page and a decryptor. Changed file names and the file-extension .REVENGE has been used.
Distribution Method Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Revenge

Download

Malware Removal Tool

User Experience Join our forum to Discuss Revenge.
Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Revenge Ransomware – How Does It Infect

For this virus to become active and infect an increasing number of Windows users’ multiple techniques are reportedly used. One of them is to utilize malicious files that contain either the Rig Exploit Kit or EiTest kit, web-injectors and fake updates for the infection. Such may be spread by being added as web links or malicious e-mail attachments in archives. The e-mails accompanying those attachments may contain deceptive messages that aim to trick the user into opening them, for instance:

After the user opens the malicious e-mail attachment, Revenge ransomware becomes activated and multiple malicious files are downloaded onto the computer of the user:

  • Rig-EK.swf
  • Svchost.exe
  • {random named file}.exe
  • {random named file(2)}.exe
  • {random named file(3)}.exe
  • {random named file}.bin.exe
  • # !!!HELP_FILE!!! #.TXT

Most of the files are located in the %AppData% dorectory. But there is also the situation with malicious files that are located in the %Windows NT% directory.

Revenge Ransomware – Infection Analysis

After the infection by Revenge ransomware has been initiated, the virus begins to perform multiple different types of modifications to the computer, starting with the executing of administrative Windows commands in the Command Prompt without the user noticing. The commands are reported by researchers to be the following:

→ /C vssadmin.exe Delete Shadows /All /Quiet
/C bcdedit /set {default} recoveryenabled No
/C bcdedit /set {default} bootstatuspolicy ignoreallfailures
/C net stop vss
/C vssadmin.exe Delete Shadows /All /Quiet
/C net stop vss

These commands are executed with the one and only purpose to stop the volume shadow service and delete the volume shadow copies (backed up files) in a quiet mode, without the user even seeing it.

In the meantime, Revenge ransomware also establishes connection with the following hosts:

  • dfg.stickneylodge.com (217.107.34.86)
  • 109.236.87.201
  • www.everythingcebu.com

The virus also performs multiple other modifications, such as changing the functionality of the autorun service to run malicious executables on system boot. Revenge ransomware also steals confidential information from the web browsers of the infected computer and this may even include passwords and login usernames. This activity is very typical for evolved ransomware viruses, known as doxware.

Revenge Ransomware – Encryption Process

For the encryption of Revenge ransomware, multiple different processes are initiated in the Windows Task Manager to ensure that it is uninterrupted. The encryption procedure targets over 400 different types of files, including pictures, archives, documents, videos and other widely used content. When we put together all of the file extensions together, the list of encrypted files, if detected, becomes quite big:

.1CD, .3DM, .3DS, .3FR, .3G2, .3GP, .3PR, .7Z, .7ZIP, .AAC, .AB4, .ABD, .ACC,.ACCDB, .ACCDE, .ACCDR, .ACCDT, .ACH, .ACR, .ACT, .ADB, .ADP, .ADS, .AGDL, .AI, .AIFF, .AIT, .AL, .AOI, .APJ, .APK, .ARW, .ASCX, .ASF, .ASM, .ASP, .ASPX, .ASSET, .ASX, .ATB, .AVI, .AWG, .BACK, .BACKUP, .BACKUPDB, .BAK, .BANK, .BAY, .BDB, .BGT, .BIK, .BIN, .BKP, .BLEND, .BMP, .BPW, .BSA, .C, .CASH, .CDB, .CDF, .CDR, .CDR3, .CDR4, .CDR5, .CDR6, .CDRW, .CDX, .CE1, .CE2, .CER, .CFG, .CFN, .CGM, .CIB, .CLASS, .CLS, .CMT, .CONFIG, .CONTACT, .CPI, .CPP, .CR2, .CRAW, .CRT, .CRW, .CRY, .CS, .CSH, .CSL, .CSS, .CSV, .D3DBSP, .DAC, .DAS, .DAT, .DB .DB_JOURNAL, .DB3, .DBF, .DBX, .DC2, .DCR, .DCS, .DDD, .DDOC, .DDRW, .DDS, .DEF, .DER, .DES, .DESIGN, .DGC, .DGN, .DIT, .DJVU, .DNG, .DOC, .DOCM, .DOCX, .DOT, .DOTM, .DOTX, .DRF, .DRW, .DTD, .DWG, .DXB, .DXF, .DXG, .EDB, .EML, .EPS, .ERBSQL, .ERF, .EXF, .FDB, .FFD, .FFF, .FH, .FHD, .FLA, .FLAC, .FLB, .FLF, .FLV, .FLVV, .FORGE, .FPX, .FXG, .GBR, .GHO, .GIF, .GRAY, .GREY, .GROUPS, .GRY, .H, .HBK, .HDD, .HPP, .HTML, .IBANK, .IBD, .IBZ, .IDX, .IIF, .IIQ, .INCPAS, .INDD, .INFO, .INFO_, .IWI, .JAR, .JAVA, .JNT, .JPE, .JPEG, .JPG, .JS, .JSON, .K2P, .KC2, .KDBX, .KDC, .KEY, .KPDX, .KWM, .LACCDB, .LBF, .LCK, .LDF, .LIT, .LITEMOD, .LITESQL, .LOCK, .LTX, .LUA, .M, .M2TS, .M3U, .M4A, .M4P, .M4V, .MA, .MAB, .MAPIMAIL, .MAX, .MBX, .MD, .MDB, .MDC, .MDF, .MEF, .MFW, .MID, .MKV, .MLB, .MMW, .MNY, .MONEY, .MONEYWELL, .MOS, .MOV, .MP3, .MP4, .MPEG, .MPG, .MRW, .MSF, .MSG, .MTS, .MYD, .ND, .NDD, .NDF, .NEF, .NK2, .NOP, .NRW, .NS2, .NS3, .NS4, .NSD, .NSF, .NSG, .NSH, .NVRAM, .NWB, .NX2, .NXL, .NYF, .OAB, .OBJ, .ODB, .ODC, .ODF, .ODG, .ODM, .ODP, .ODS, .ODT, .OGG, .OIL, .OMG, .ONE, .ORF, .OST, .OTG, .OTH, .OTP, .OTS, .OTT, .P12, .P7B, .P7C, .PAB, .PAGES, .PAS, .PAT, .PBF, .PCD, .PCT, .PDB, .PDD, .PDF, .PEF, .PFX, .PHP, .PIF, .PL, .PLC, .PLUS_MUHD, .PM!, .PM, .PMI, .PMJ, .PML, .PMM, .PMO, .PMR, .PNC, .PND, .PNG, .PNX, .POT, .POTM, .POTX, .PPAM, .PPS, .PPSM, .PPSX, .PPT, .PPTM, .PPTX, .PRF, .PRIVATE, .PS, .PSAFE3, .PSD, .PSPIMAGE, .PST, .PTX, .PUB, .PWM, .PY, .QBA, .QBB, .QBM, .QBR, .QBW, .QBX, .QBY, .QCOW, .QCOW2, .QED, .QTB, .R3D, .RAF, .RAR, .RAT, .RAW, .RDB, .RE4, .RM, .RTF, .RVT, .RW2, .RWL, .RWZ, .S3DB, .SAFE, .SAS7BDAT, .SAV, .SAVE, .SAY, .SD0, .SDA, .SDB, .SDF, .SH, .SLDM, .SLDX, .SLM, .SQL, .SQLITE, .SQLITE3, .SQLITEDB, .SQLITE-SHM, .SQLITE-WAL, .SR2, .SRB, .SRF, .SRS, .SRT, .SRW, .ST4, .ST5, .ST6, .ST7, .ST8, .STC, .STD, .STI, .STL, .STM, .STW, .STX, .SVG, .SWF, .SXC, .SXD, .SXG, .SXI, .SXM, .SXW, .TAX, .TBB, .TBK, .TBN, .TEX, .TGA, .THM, .TIF, .TIFF, .TLG, .TLX, .TXT, .UPK, .USR, .VBOX, .VDI, .VHD, .VHDX, .VMDK, .VMSD, .VMX, .VMXF, .VOB, .VPD, .VSD, .WAB, .WAD, .WALLET, .WAR, .WAV, .WB2, .WMA, .WMF, .WMV, .WPD, .WPS, .X11, .X3F, .XIS, .XLA, .XLAM, .XLK, .XLM, .XLR, .XLS, .XLSB, .XLSM, .XLSX, .XLT, .XLTM, .XLTX, .XLW, .XML, .XPS, .XXX, .YCBCRA, .YUV, .ZIP Source: id-ransomware.blogspot.bg

For the encryption process, Revenge ransomware reportedly uses two types of encryption algorithms which are both very strong:

  • RSA-1024
  • AES-256

For the specific encryption process of the files, the AES cipher may be used. Bytes of the original files are replaced with encrypted data and the files become no longer openable. After the procedure is complete, the RSA cipher may be additionally applied to generate unique decryption keys, which makes decryption even more difficult and highly unlikely.

The files are appended the .revenge file extension after the encryption process has completed and they may also contain a victim id, the file name in an encrypted format, a 8 character string and another filename in an 8 character encrypted format and after all of these, the files have the extension appended. They may look like the following:

After the encryption process is complete, the # !!!HELP_FILE!!! #.TXT appears on the infected computer. It has the same message written in 5 languages (English, Italian, German, Polish, Korean):

Remove Revenge Ransomware and Restore .REVENGE Files

Before attempting any removal of this ransomware infections, malware researchers strongly recommend to focus on backing up the files that have been encrypted by this ransomware infection, just in case.

Then, we advise you to follow the step-by-step removal guide below which will show you how to remove the Revenge ransomware infection from your computer permanently. In case you lack the experience to perform a manual removal, experts always advise taking the approach that is conducted automatically. It includes the download and installation of an advanced anti-malware program which will take care of the Revenge virus swiftly and protect your computer in the future too.

After having already taken care of the malicious objects dropped by Revenge on your computer, recommendations are to try and restore your files using alternative tools, like the ones we suggested in step “2. Restore files encrypted by Revenge” below. These tools are in no way guarantee that you will recover all your encrypted data, however they are a good alternative, because at least some of the files can be recovered this way.

Manually delete Revenge from your computer

Note! Substantial notification about the Revenge threat: Manual removal of Revenge requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Revenge files and objects
2.Find malicious files created by Revenge on your PC

Automatically remove Revenge by downloading an advanced anti-malware program

1. Remove Revenge with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Revenge
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.