The recent detention of a Russian tourist in Armenia, based on a U.S. extradition request for an individual sharing the name of a suspected REvil operative, Aleksandr Ermakov, serves as a stark reminder of the persistent reach of cyber law enforcement. While the validity of the identification remains contested—with claims that border officials utilized photos scraped from VKontakte—the underlying context is undeniable: REvil (Sodinokibi) remains a high-priority threat in the cybersecurity landscape.
For defenders, this case underscores two critical realities: first, the technical TTPs (Tactics, Techniques, and Procedures) associated with REvil-style encryption-based incidents are still active and relevant; and second, the operational security (OPSEC) of your workforce—specifically their digital footprint on social media platforms like VKontakte—is a vector for adversary targeting and law enforcement scrutiny alike. If your organization is targeted by sophisticated ransomware, you must be prepared to detect the early signs of encryption and understand how open-source intelligence (OSINT) facilitates these attacks.
Technical Analysis
While the news focuses on the arrest of a suspect, the technical context revolves around the REvil (Sodinokibi) ransomware operations. REvil is known for "ransomware-as-a-service" (RaaS) operations, utilizing strong encryption algorithms (AES-256 + RSA-4096) to lock victim data and threatening to leak it on a dark web "Happy Blog".
Attack Chain & Techniques
- Initial Access: While not explicitly detailed in this specific report, REvil historically relies on phishing, RDP exploits, or supply chain compromises.
- Privilege Escalation & Lateral Movement: Actors typically use tools like Mimikatz or PowerShell to harvest credentials and move laterally.
- Defense Evasion: A critical precursor to encryption is the deletion of Shadow Copies. This prevents victims from easily restoring files without paying the ransom. REvil actors commonly use
vssadmin.exe,wmic.exe, orwbadmin.exeto delete these backups. - Impact (Encryption): The ransomware executes the encryption routine. It often leaves a ransom note (e.g.,
README.txtor random extensions) in directories containing encrypted files.
The OPSEC Vector
The detail regarding the suspect's identification via a VKontakte photo highlights a non-technical but lethal vulnerability: OSINT Exposure. High-value employees (sysadmins, C-suite executives) are frequently profiled by threat actors using social media to build dossiers for social engineering or simply to confirm physical locations for physical cyber attacks (e.g., "rubber ducky" drops or "Evil Maid" attacks during travel).
Detection & Response
Defending against REvil-style threats requires detecting the preparatory steps (shadow copy deletion) and the execution of the payload. We have compiled the following detection rules to identify these behaviors in your environment.
SIGMA Rules
The following Sigma rules detect the deletion of shadow volumes—a near-universal step in REvil playbook executions—and the creation of potential ransomware notes.
---
title: Potential Ransomware Activity - Shadow Copy Deletion
id: 8a2b1c4d-6e3f-4a5b-8c9d-1e2f3a4b5c6d
status: experimental
description: Detects attempts to delete system shadow copies using vssadmin, wmic, or wbadmin, a common precursor to ransomware encryption like REvil.
references:
- https://attack.mitre.org/techniques/T1490/
author: Security Arsenal
date: 2026/07/01
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection_vssadmin:
Image|endswith: '\vssadmin.exe'
CommandLine|contains: 'delete shadows'
selection_wmic:
Image|endswith: '\wmic.exe'
CommandLine|contains: 'shadowcopy delete'
selection_wbadmin:
Image|endswith: '\wbadmin.exe'
CommandLine|contains: 'delete catalog'
condition: 1 of selection_*
falsepositives:
- System administration tasks (rare)
level: high
---
title: Potential Ransomware Note Creation
id: 9b3c2d5e-7f4g-5h6i-9j0k-2f3g4h5i6j7k
status: experimental
description: Detects the creation of files with common ransomware note names or extensions in user directories.
references:
- https://attack.mitre.org/techniques/T1486/
author: Security Arsenal
date: 2026/07/01
tags:
- attack.impact
- attack.t1486
logsource:
category: file_create
product: windows
detection:
selection:
TargetFilename|contains:
- '\README.txt'
- '\RECOVER-FILES.txt'
- '\_open_me.txt'
TargetFilename|contains:
- 'Desktop'
- 'Documents'
- 'Downloads'
condition: selection
falsepositives:
- Legitimate readme files created by software installers
level: medium
KQL (Microsoft Sentinel / Defender)
Use this KQL query to hunt for processes attempting to manipulate shadow copies or clear the backup catalog, which is a definitive indicator of ransomware pre-encryption activity.
// Hunt for Ransomware Pre-Encryption Activity
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("delete shadows", "shadowcopy delete", "delete catalog")
| where FileName in~ ("vssadmin.exe", "wmic.exe", "wbadmin.exe")
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine
| sort by Timestamp desc
Velociraptor VQL
This VQL artifact hunts for suspicious files that may indicate a ransomware execution or the presence of tools used by REvil operators for persistence.
-- Hunt for Ransomware Notes and Common Persistence Mechanisms
SELECT FullPath, Size, Mtime, Mode
FROM glob(globs="C:/Users/*/*/*.txt")
WHERE Name =~ "README"
OR Name =~ "recover"
OR Name =~ "restore"
SELECT
Pid,
Name,
CommandLine,
Exe
FROM pslist()
WHERE Name =~ "vssadmin"
OR Name =~ "wbadmin"
OR CommandLine =~ "delete"
Remediation Script
This PowerShell script assists in the immediate response phase by checking for the existence of common ransomware note patterns and verifying the status of Volume Shadow Copy Service (VSS).
# REvil Response Audit: Check for Ransom Notes and VSS Status
Write-Host "[*] Starting Ransomware Response Audit..." -ForegroundColor Cyan
# Check for common ransom note patterns
$paths = @("C:\Users", "C:\Windows\Temp")
$notePatterns = @("README.txt", "RECOVER", "_open_me")
foreach ($path in $paths) {
if (Test-Path $path) {
Write-Host "[*] Scanning $path for ransom notes..." -ForegroundColor Yellow
Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue |
Where-Object {
($_.Extension -eq ".txt") -and
($notePatterns | Where-Object { $_.Name -like "*$($_)*" })
} |
Select-Object FullName, LastWriteTime | Format-Table -AutoSize
}
}
# Check VSS Writer Status
Write-Host "[*] Checking VSS Writer Status..." -ForegroundColor Yellow
try {
$vssStatus = vssadmin list writers
if ($vssStatus -like "*Error*" -or $vssStatus -like "*Failed*") {
Write-Host "[!] VSS Writers detected errors. Possible tampering." -ForegroundColor Red
} else {
Write-Host "[+] VSS Writers appear healthy." -ForegroundColor Green
}
} catch {
Write-Host "[!] Failed to check VSS status." -ForegroundColor Red
}
Write-Host "[*] Audit Complete." -ForegroundColor Cyan
Remediation
- Isolate Affected Systems: Immediately disconnect any machine showing signs of the TTPs above from the network to prevent lateral movement.
- Preserve Artifacts: Do not reboot or power off affected endpoints if possible; capture memory dumps for forensic analysis to confirm the specific ransomware variant (e.g., REvil).
- Verify Backups: Ensure your offline backups are intact and not encrypted. Test the restoration procedure for a critical dataset.
- OPSEC Audit (Crucial): Conduct a security awareness review regarding social media usage. Educate employees, particularly those in technical or sensitive roles, about the risks of geo-tagging photos and sharing professional details on platforms like VKontakte, LinkedIn, or Facebook.
- Patch Management: While no CVE is explicitly cited in this news, REvil has historically exploited vulnerabilities in VPNs and remote access tools. Ensure all external-facing infrastructure is patched against the latest advisories from 2025-2026.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.