REvil ransomware, also known as Sodinokibi, was strongly observed in late April 2019. REvil ransomware is part of the Ransomware-as-a-Service (RaaS), in which a set of individuals retains the source code, while other subsidiaries distribute ransomware. Many researchers believe that REvil ransomware is similar to it GandCrab ransomware, since with the advent of REvil ransomware, the activity of GandCrab ransomware has been greatly reduced, while at the same time they have the same codes. The hackers behind the development and maintenance of this malware have released a new version of this ransomware, REvil ransomware 2.2. This news version ransomware uses Windows Restart Manager API, aiming to terminate procedures that open the file that has been targeted for encryption. This is because if the file is opened with a specific process, then another process in the same file will be terminated by their system. Windows. Intel 471 researchers malware Intelligence found that Sodinokibi ransomware has now applied this technique using Windows Restart Manager. Windows Restart Manager is also used by other ransomware, such as SamSam and LockerGoga. In addition, REVIL ransomware opens files for encryption without sharing (dwShareMode is equal to 0). As a result, Restart Manager is notified every time an attempt is made to open an already open file. In addition, the hackers added a command-line option, which is "silent" and omits blacklisted procedures and services as well as deleting shadow copies.
Popular analyst Vitali Kremez noted that REvil Decryptor v2.2 also uses the Windows Restart Manager API to terminate any process in which files are decrypted. Finally, with the new features added now, REvil Ransomware 2.2 can encrypt some extremely critical files.