The REvil ransomware group, one of the most infamous Ransomware-as-a-Service (RaaS) providers, recently made a sudden exit that surprised everyone. In a detailed report released recently, McAfee Labs described the use of DLL sideloading in REvil’s attacks.

What is DLL sideloading?

In simpler terms, attackers using this technique find a way to replace a legitimate DLL with a malicious one. Generally, this technique is used by APT groups to avoid raising any flags on security radars.

DLL sideloading by REvil

According to the report, the REvil group has been using a DLL sideloading technique to run ransomware code.
  • In the attack, the MsMpEng[.]exe file loads the functions of MpSvc[.]dll during the execution.
  • Meanwhile, the attacker replaces the clean MpSvc[.]dll with the ransomware binary.
  • The malicious DLL has an export function called ServiceCrtMain that gets activated by the Microsoft Defender file. This method allows the execution of malicious files with a digitally signed binary.
  • This ransomware uses the RC4 algorithm to decrypt its config file that contains information that is used for the encryption process and then performs a UI language check.
  • Moreover, the ransomware finds out the layout of the user keyboard. However, it skips targeting a particular list of countries such as Russia, Belarus, and Ukraine.

REvil’s disappearance creating a new menace

After the U.S. President demanded cooperation from the Russian government in the fight against the continuous ransomware attacks, the group’s activities were seized. It is speculated that the Russian government could have shut down this group. However, this is causing a menace for its victims.
  • The sudden disappearance of the group could be good news for the security community, however, it is a nightmare for the current victims who were already in negotiation with the REvil group.
  • Some researchers suggested that during such takedowns, it would be helpful if the goal is to obtain the decryption keys and make them public to help the current victims.


The REvil gang was using DLL sideloading to avoid detection, which is mostly observed in APT attacks. Moreover, the departure from the ransomware business could be a temporary attempt to fool law enforcement after the recent high-profile supply chain attack on IT software firm Kaseya.

Cyware Publisher