REvil/Sodinokibi ransomware has been active since 2019, with breaks due to law enforcement.
The ransomware can run with one of the following parameters: "-nolan", "-nolocal", "-path",
"-silent", "-smode", “-fast”, and “-full”. The malware comes with an RC4 encrypted configuration,
kills a list of targeted processes, and stops some specified services. It also deletes all Volume
Shadow Copies using WMI and targets logical drives and network shares.
The sample only renames the files that are supposed to be encrypted due to a bug
implemented by the developers. REvil implements a combination of ECC (Curve25519) and
Salsa20 algorithms during the encryption process. The ransomware can operate in Safe Mode by
specifying a parameter, and it establishes persistence in this case by creating an entry under the
Link : https://securityscorecard.pathfactory.com/research/detailed-analysis-revil#page=1
*Beware click the link!