constellix background

REvil Hacking Group Changes Windows Passwords

April 8, 2021
DNS Provider Resource
Compare DNS Providers - Alternative Comparison Free Demo


Subnet Mask Cheat SheetRecords Cheat SheetGeoDNS ExplainedFree Network TroubleshooterKnowledge BasePricing CalculatorLive CDN PerformanceVideo DemosOutage Prevention - CDN Outage - DDos Attack Prevention - DNS Outage


BlogsNewsPress ReleasesIT NewsTutorials
Book a Free Demo →

Want DNS Freebies?

Give us your email and we'll send you the good stuff.

Thanks for joining our newsletter.
Oops! Something went wrong.
Enterprise DNS


Tanya Valdez is a Technical Writer at Constellix. She makes the information-transfer material digestible through her own transfer of information to our customers and readers. Connect with her on LinkedIn.

Connect with

The hacker group that hit Acer with a $50 million ransomware attack on March 25, 2021 is working on its new victims. REvil recently stated that their goal is to make $2 billion in ransomware attacks in one year and boasted its $100 million in earnings for a previous year. 

REvil Ransomware Logs Windows Into Safe Mode

Last month, REvil added a new ability to encrypt files in Windows Safe Mode that seemingly assists in evading security detection. Windows Safe Mode is a startup method that loads only the necessary software and drivers needed for the operating system to function. This is commonly used to run administrative and diagnostic tasks.  

Programs that were installed in Windows to start automatically do not start in Safe Mode, unless configured to do so. To bypass this autostart, REvil created two RunOnce keys of which one will be used to force an uninterrupted restart of Windows and the other to relaunch the REvil ransomware. Both RunOnce entries are automatically deleted by Windows. 

New Version Changes Windows Passwords

The previous ransomware version required a manual login for the encryption to begin. Security reseacher, R3MRUM, discovered a new version of REvil’s Safe Mode encryption that changes the user’s password and configures Windows to automatically login on reboot. According to Bleeping Computer, the user’s password was changed to ‘DTrump4ever’ in the following Registry values.

It’s not clear if this password will continue to be in use, but it was the same used in two discovered samples. 

This is just the latest strategy that the group has added to its tactics in its ransomware-as-a-service (RaaS), including VoIP calls and DDoS attacks. 

image source:

Priority DNS Security - image

Need better DNS?
We can help.

• 100% Uptime guarantee
• Configure with ease
• Prevent DDoS attacks
• Monitor your domains
• Optimize site traffic
• Enhance domain performance
• Free POC Account + Demo


Constellix DNS News

REvil, cybersecurity, hacker, hacker group, ransomware

Sign up for industry news and insights. It'll be worth it.

Sign up for news and offers from Constellix and DNS Made Easy

Thanks for joining our newsletter.
Oops! Something went wrong.