REvil’s new Linux version

July 1, 2021  |  Fernando Martinez

This blog was jointly authored with Ofer Caspi.

Executive summary

The ransomware-as-a-service (RaaS) operation behind REvil have become one of the most prolific and successful threat groups since the ransomware first appeared in May 2019. REvil has been primarily used to target Windows systems. However, new samples have been identified targeting Linux systems. AT&T Alien Labs™ is closely monitoring the ransomware landscape and has already identified four of these samples in the wild during the last month, after receiving a tip from MalwareHuntingTeam. The purpose of this blog is to share recent findings and a summary of the adversary, malware family, and detection options.

Key Takeaways:

  • REvil ransomware authors have expanded their arsenal to include Linux ransomware, which allows them to target ESXi and NAS devices.
  • The new Linux version has similarities to the Windows version, which has impacted companies such as JBS, Acer, and Travelex, as already reported by the FBI and the media. 


REvil is also known as Sodinokibi or Sodin. It is a ransomware family operated as a ransomware-as-a-service (RaaS). Deployments of REvil were first observed in April 2019, exploiting a published vulnerability in Oracle WebLogic (CVE-2019-2725). Since then, REvil has become one of the most prolific RaaS groups, after being attributed ransom attacks to JBS, Acer, Travelex, and the most recent one U.K.-based fashion brand French Connection this week.

REVIL Victims




National Western Life


United States

Eurecat (Eurecat SA)


France, United States

Light S.A.



Quest Worldwide



Brown Forman Corporation

Food and Beverage Services

United States





Information Technology

United States



United States

Viva Resorts


United States

Schramm Inc.


United States




Quanta Computer

Information Technology



Food and Beverage Services

Brasil, United States


Information Technology




United Kingdom

French Connection


United Kingdom

Grupo Fleury





United States


Ransomware-as-a-service is a method for individuals to purchase prebuilt malware families for their own malicious use. RaaS has been sold on the dark web and has been the approach used by a variety of other criminal groups, such as DarkSide. One thing to keep in mind is RaaS is not limited to buyers who lack their own capabilities. For example, a highly skilled adversarial team supporting a nation state could make use of RaaS families to gain access into a targeted network to avoid pre- and post- compromise attribution and objective identification.


The threat actors behind REvil ransomware have expanded their arsenal to include Linux ransomware. As announced on a dark web blog and reported by AdvIntel in early May 2021, REvil has ported their Windows ransomware version to the Linux architecture.

These software upgrades follow the trend seen in other popular RaaS groups, like DarkSide, where they have added Linux capabilities to include ESXi in their scope of potential targets. The hypervisor ESXi allows multiple virtual machines (VM) to share the same hard drive storage. However, this also enables attackers to encrypt the centralized virtual hard drives used to store data from across VMs, potentially causing disruptions to companies. According to the blog post, in addition to targeting ESXi, REvil is also targeting NAS devices as another storage platform with the potential to highly impact the affected companies.

In late May 2021 the first REvil ransomware samples affecting *nix systems and ESXi were observed in the wild. The samples are ELF64 executables, with similarities to the Windows REvil executable, being the most noticeable among the configuration options.

Before encrypting all the files, REvil runs the esxcli command line tool to list all running ESXi VMs and terminate them. By doing this, the attacker ensures no other VM is handling the files to be encrypted, avoiding corruption issues of the encrypted files. However, the executable has a specific parameter to run in silent mode, which avoids debugging without stopping any VMs.

command to kill VMs

Figure 1: ESXi command to kill running VMs, as captured by Alien Labs.

In addition to the above-mentioned parameter, the threat actor can specify the number of threads to use (the default value is 50) and the path to encrypt. (By default, the malware will encrypt the current directory and its subfolders.)

During execution, the malware will first check if its configuration exists. The configuration file format is very similar to the one observed for REvil Windows samples, but with fewer fields. Some of the fields presented in both versions include:

  • Pk: Base64-encoded value containing the attacker's public key used to encrypt files
  • Sub: 7987 representing the affiliate identifier
  • Dbg: Determines if the victim is Russian, terminating the execution if the language set in the victim’s system is not the expected one
  • Nbody: Ransom note body contents encoded in base64; decoded contents are shown in Figure 3
  • Nname: Ransom note filename
  • Rdmcnt: Unique value not previously seen in REvil configurations
  • Ext: Encrypted extension, which appears to be five random character; the observed extensions include .rhkrc, .qoxaq, .naixq, and . 7rspj.

REvil config file

Figure 2: Hard-coded config file, as captured by Alien Labs.            

REvil ransom note

Figure 3: Hard-coded ransom note after decoding, as captured by Alien Labs.

The malware will loop through the target folder, encrypting the files in it. Before encryption, it will check to see if the file has already been encrypted by looking at the filename extension.

During encryption, the malware will generate a 64 bytes XOR key, based on the pk key given in the config file. It will use this key during the encryption process. After encryption, the malware will write the generated key “IV” at the end of each file and leave a ransom note in each folder.

REvil encryption

Figure 4: Main encryption routine, as captured by Alien Labs.

REvil  main encryption

Figure 5: Main encryption routine, as captured by Alien Labs.

The malware will log all the files it goes through, stating if the file was encrypted or if it was unable to encrypt due to OS protection.

REvil encyption logs

Figure 6: Encryption logs, as captured by Alien Labs.

REvil execution output

Figure 7: Execution output, as captured by Alien Labs. .


The threat actors behind REvil RaaS have rapidly developed a Linux version to compete against the recently released Linux version of DarkSide. It is hard to clarify if these two RaaS are competing against each other or collaborating team members, as stated by other security researchers. Nevertheless, both actors have been very active in the ransomware landscape during the last months, and these upgrades will keep them in the spotlight due to the increased attacking spectrum.

Appendix A. Detection Methods

The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.


rule REvilLinux



        author = "AlienLabs"

        description = "REvil Linux"

        sha256 = "ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4  "


        $func = "File [%s] was NOT encrypted"

        $sleep = "esxcli"

        $re = "[%s] is protected by os"

        $a3 = "Error create note in dir %s"


        uint32(0) == 0x464C457F and 3 of them


Appendix B. Associated Indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.







REvil Linux sample



REvil Linux sample



REvil Linux sample



REvil Linux sample


Appendix C. Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

  • TA0043: Reconnaissance
    • TA1592: Gather Victim Host Information
  • TA0042: Resource Development
    • T1583: Acquire Infrastructure
    • T1587: Develop Capabilities
  • TA0005: Defense Evasion
    • T1027: Obfuscated Files or Information
  • TA0007: Discovery
    • T1083: File and Directory Discovery
  • TA0009: Collection
    • T1005: Data from Local System
  • TA0040: Impact
    • T1486: Data Encrypted for Impact

Share this with others

Featured resources



2024 Futures Report

Get price Free trial