REvil ransomware has been updated with a new feature that allows its operators to automate file encryption in Safe Mode after changing Windows passwords. It is an update to the Safe Mode encryption added last month that required manual login to safe mode before the encryption starts.

What has happened?

In late March, a new sample of REvil was spotted by a security researcher. In this sample, attackers refined its Safe Mode encryption that was earlier signaled as a red flag because of its manual login capabilities.
  • In the new variant, when the -smode argument is used, the ransomware will change the user's password to DTrump4ever. It then configures the registry values to perform automatic login with the new account info.
  • It is not known if new samples of the ransomware still use the DTrump4ever password. However, at least two samples uploaded to VirusTotal were found to be using this password.
  • In addition, causing a Windows system to reboot in safe mode would allow the ransomware operators to make changes that may otherwise not be possible in normal running mode.

Recent activities 

REvil has been very active recently and has targeted several well-known entities around the world.
  • A few weeks ago, the ransomware targeted the IT giant Acer and demanded a record $50 million ransom.
  • Last month, the REvil gang warned that it would perform DDoS attacks on victims if a victim denies paying the ransom. The operators also warned about making VoIP calls to the victim's partners and journalists to tell them about the attack.


The recent changes made by REvil operators indicate that this ransomware gang is desperately looking to enhance its malware and evolve its tactics. This is well expected to encourage other ransomware gangs to follow in the footsteps of REvil and create catastrophe. Security experts emphasize that staying aware and proactively enhancing the defense system is the recommended way to deal with such challenges.
Cyware Publisher