REVRAC Ransomware Decryptor
In response to the REVRAC variant of the Makop ransomware, our cybersecurity specialists have reverse-engineered its encryption model. The result is a decryption utility that has already recovered encrypted data for numerous global victims. Specifically designed for Windows platforms, the tool emphasizes precision, operational stability, and secure data restoration.
How Our Decryptor Functions
At its core, the decryptor analyzes the victim’s encrypted filenames and unique ID (typically found in the ransom note or file name suffix) inside a secure digital sandbox. It then attempts to match this data to its corresponding decryption key.
Each REVRAC-infected file includes a unique identifier and a contact email, such as file.docx.[2AF20FA3].[[email protected]].REVRAC. Our decryption algorithm maps these attributes to initiate precise decryption.
Before making any changes to your system, the decryptor performs read-only scans to verify that files are in a recoverable state. This method safeguards remaining data and prevents overwrites or corruption.
Pre-Requisites to Run the REVRAC Decryptor
To initiate the recovery process, you will need the following:
- A ransom note file, typically named +README-WARNING+.txt
- Full access to the affected (encrypted) files
- A stable internet connection for server-side key matching
- Administrator privileges on the infected machine
Critical First Actions After Detecting REVRAC Infection
Time is of the essence. If your system is compromised by REVRAC:
Immediately disconnect the infected workstation or server from your network. This helps prevent the ransomware from spreading to mapped drives, backup storage, or other endpoints.
Do not attempt to rename encrypted files or open them with recovery software. Keep all ransom notes, file names, logs, and captured network traffic. These assets can be vital in identifying the specific variant and crafting a recovery approach.
Avoid rebooting the system, as REVRAC may schedule secondary encryption tasks or destructive scripts. Shutting down the system is safer.
Lastly, consult a professional recovery team. DIY solutions found on forums or sketchy sites can damage files further or contain malware themselves.
Understanding the REVRAC Encryption Process and Safe Recovery Options
REVRAC ransomware encrypts documents, databases, archives, and images using hybrid cryptography (AES + RSA). It appends the file extension .REVRAC to all affected files and includes a ransom note instructing victims to make contact via email for decryption.
Our decryptor bypasses the need to engage with attackers. It works by exploiting cryptographic oversights, matching victim IDs to specific key blocks, and securely decrypting the files — without making any ransom payment.
Public and Private REVRAC File Recovery Methods
Free Tools
For earlier strains of Makop ransomware — not the REVRAC variant itself — Avast released a decryptor based on predictable key generation vulnerabilities.
To attempt this method:
- Download the Avast decryptor matching the Makop ransomware family.
- Run the tool and input a sample encrypted file and its uninfected version (if available).
- Follow prompts for password/key recovery. The tool may try billions of combinations, which takes time.
- If successful, proceed to decrypt the rest of the files.
If you have offline backups, this method offers the cleanest path forward. Ensure these backups were stored in isolated environments. Validate file integrity before restoring, using tools like checksums or mount snapshots. Incomplete or outdated backups should not be used without testing.
For virtual environments like VMware ESXi or Proxmox, rolling back to a snapshot taken before the attack is a fast and safe way to restore services. Confirm the snapshot is not compromised and verify log entries to avoid reintroducing REVRAC during rollback.
Paid Alternatives
The ransom note instructs victims to email [email protected] or [email protected]. The attackers will demand a fee in exchange for a decryption tool tied to your victim ID.
There’s no guarantee that the decryptor will work or that it will be free of spyware or data-stealing features. There is also a high risk of partial or corrupted recovery and the ethical dilemma of paying cybercriminals.
Cyber-extortion negotiators serve as liaisons between victims and ransomware groups. They manage encrypted communication, verify legitimacy, and often secure reduced ransom amounts. While they improve outcomes, their services are expensive and not always successful.
Our Proprietary REVRAC Decryptor Solution
We developed a secure cloud-based decryptor to address REVRAC’s unique file-locking strategy. By analyzing encrypted filenames and ransom IDs, our software maps encrypted files to correct decryption routines.
The files are uploaded through a secure channel and returned decrypted, accompanied by audit logs verifying recovery integrity. This is a comprehensive, end-to-end managed recovery service.
Step-by-Step Guide to Decrypting REVRAC Files Using Our Tool
1. Verify Infection
Confirm that the .REVRAC extension is present on files and the +README-WARNING+.txt ransom note exists.
2. Isolate the System
Disconnect infected systems from the internet and local network to halt additional encryption attempts.
3. Submit Samples
Send us one or two encrypted files and the ransom note. This allows us to validate the variant and determine if decryption is feasible.
4. Begin Decryption
Once your data is validated, launch our decryptor with administrator rights. Enter your victim ID as instructed. The tool will begin decrypting your files in batches.
Offline vs. Online Decryption Strategies
Offline methods involve copying files to a clean workstation or bootable environment. These are best suited for high-security sectors (government, industrial). Online recovery is faster and managed remotely, requiring a secure internet channel. Our decryptor supports both modes for enterprise flexibility.
What Is REVRAC Ransomware and What Makes It Dangerous?
REVRAC is part of the Makop ransomware-as-a-service (RaaS) ecosystem. It locks user data using powerful encryption, changes the wallpaper to reflect infection, and instructs victims to contact the attacker using email. The extension .REVRAC is added to every file.
REVRAC also disables shadow copies and system restore points, eliminating local recovery options. It warns victims against using other decryption tools or renaming files, threatening increased ransom fees or data corruption.
REVRAC Attack Timeline and Target Demographics
Sectors Commonly Hit
Activity Timeline
Understanding the Ransom Note
The file +README-WARNING+.txt contains:
YOUR FILES ARE ENCRYPTED
Your files, documents, photos, databases and other important files are encrypted.
You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.
Only we can give you this key and only we can recover your files.
To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free.
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets,sql. etc.)
Do you really want to restore your files?
Write to email: [email protected]
Your personal ID is indicated in the names of the files and in the end of this message, before writing a message by email – indicate the name of the ID indicated in the files IN THE SUBJECT OF THE EMAIL
Attention!
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
YOUR ID: –
This message applies psychological pressure, emphasizing urgency, secrecy, and threats of increased damage if recovery is attempted independently.
TTPs, Attack Toolkit, IOCs & Mitigation Measures
Initial Entry Tactics
REVRAC leverages phishing emails, trojanized installers, and exposed RDP services. It may also exploit security flaws in remote gateways and firewall devices to gain an initial foothold.
Commonly Used Tools
- Mimikatz – Credential theft
- PsExec – Remote execution
- Advanced IP Scanner / SoftPerfect – Internal reconnaissance
- PuTTY, AnyDesk – Persistence and backdoor control
- Everything.exe – File discovery
- RClone, FileZilla – Data exfiltration
- NLBrute – RDP brute-forcing
MITRE ATT&CK Mapping
| Tactic | Technique | ID |
| Initial Access | Spearphishing Attachment | T1566.001 |
| Execution | User Execution | T1059 |
| Persistence | Registry Run Keys | T1547.001 |
| Privilege Escalation | Valid Accounts (via RDP) | T1078 |
| Defense Evasion | Obfuscated Scripts / Files | T1027 |
| Discovery | System Scanning & Enumeration | T1016 |
| Lateral Movement | PsExec Usage | T1021.002 |
| Credential Access | Dumping Credentials (Mimikatz) | T1003.001 |
| Exfiltration | Web Service Uploads | T1567.002 |
| Impact | File Encryption | T1486 |
Indicators of Compromise (IOCs)
- File pattern: .REVRAC extension with embedded ID/email
- Ransom note: +README-WARNING+.txt
- Dropped wallpaper: Random .bmp file replacing desktop background
- Processes: mc_hand.exe, NLBrute.exe, Everything.exe
- Domains/emails: [email protected], [email protected], use of IPLogger, RClone, Mega.nz
Prevention & Mitigation Best Practices
- Enforce multi-factor authentication on all remote access channels
- Patch vulnerabilities across endpoints, VPNs, and firewalls
- Implement application whitelisting and driver integrity policies to counter BYOVD
- Maintain offline backups with daily snapshot versions
- Continuously monitor systems with EDR and SIEM to detect lateral movement, PowerShell misuse, and credential harvesting
- Run user awareness campaigns to reduce phishing risks
Conclusion
REVRAC poses a serious threat, but it’s not insurmountable. With validated decryptors, a professional recovery team, and hardened cybersecurity practices, your data can be restored safely. Avoid panic decisions, refrain from paying the ransom when alternatives exist, and begin incident response immediately.
MedusaLocker Ransomware Versions We Decrypt
