How to Decrypt Files Affected by REVRAC Ransomware (.REVRAC): Tools, TTPs, IOCs, and Mitigation Tactics?
Our REVRAC Decryptor: Expert‑Engineered for Secure Recovery
Our team reverse‑engineered the REVRAC/Makop ransomware algorithm and built a decryptor that’s recovered data for dozens of victims globally. Compatible with Windows systems, our tool is optimized for reliability, performance, and precision.
Related article: How to Decrypt Cowa Ransomware (.cowa) Files Safely?
How It Works?
AI‑backed analysis runs your encrypted filenames and ransom‑note ID through a secure environment to match the decryption key.
Filename‑ID Mapping uses the unique victim ID and email embedded in your filenames (e.g. .REVRAC) to bind decryption to the correct key.
Secure scoping performs harmless read‑only checks before attempting any decryption, protecting intact data.
Also read: How to Decrypt JustIce Ransomware and Recover .JustIce Files Safely?
Requirements
You need:
- A copy of the ransom note (+README‑WARNING+.txt)
- Access to the encrypted files
- Internet connection for processing
- Administrator access on the affected system
Immediate Steps to Take After a REVRAC Attack
- Disconnect the infected systems to halt further encryption spread.
- Preserve everything: do not delete ransom notes, rename files, or run suspicious tools. Keep logs and file hashes intact.
- Shut down compromised machines — avoid rebooting or formatting, as that may trigger additional actions.
- Contact a reputable ransomware recovery specialist early; DIY methods can reduce recovery chances significantly.
How to Decrypt REVRAC and Recover Your Data?
REVRAC encrypts files by appending victim‑specific ID and the .REVRAC extension, and demands payment via email. Our decryptor bypasses this by identifying flaws in its key generation, enabling safe file restoration without ransom payment.
Free Methods
Avast Ransomware Decryptor (Limited Use for Some Makop Variants)
While no official Avast decryptor exists for REVRAC, earlier Makop versions occasionally had weak encryption that Avast’s free tools could exploit. These tools require both an encrypted file and its original known‑clean counterpart.
To attempt recovery:
- Download the appropriate Avast decryptor and launch the executable.
- Click Next and select encrypted files. If password cracking is needed, provide an original clean copy (e.g. from backup or duplicate).
- Start cracking if prompted; this consumes CPU resources but may recover the key.
- Finally, run decryption as administrator and optionally backup encrypted files first.
This method only works on very early Makop variants with weak cryptography. Modern REVRAC strains use secure routines making Avast decryptor ineffective. Misuse might corrupt your files.
Backup Restore
Restore files from offline or air-gapped backups taken before the infection. Before restoring, verify integrity using checksums or mounting tests to ensure backups are clean and not infected.
VM Snapshot Rollback
If pre‑infection VM snapshots exist (e.g. VMware ESXi or Proxmox), revert to a clean snapshot. Be sure snapshots are intact and isolated before rollback. This method can restore full systems quickly if snapshots survived the attack.
Paid Methods
Paying the Ransom
Following attacker instructions (emailing onlybuy@cyberfear.com) may trigger decryption delivery based on your victim ID. However, there’s no assurance of full recovery or clean tools—and supporting criminal activity carries legal and ethical risks.
Third‑Party Negotiators
These professionals negotiate ransom amounts, validate decryptor integrity, and manage the entire communication process. They reduce risk but charge significant fees and may offer no guarantee of full restoration.
Our Specialized REVRAC Decryptor
Our solution combines secure upload, victim‑ID matching, and blockchain‑verified processing to decrypt files reliably. After analysis, recovered files are securely delivered, with integrity logs and expert support throughout.
Step‑by‑Step REVRAC Recovery Guide
- Assess the Infection
Confirm .REVRAC extension and the presence of +README‑WARNING+.txt. - Secure the Environment
Disconnect infected systems immediately and halt any ransomware processes. - Engage Recovery Team
Share example encrypted files and the ransom note. We’ll identify the variant and estimate recovery time. - Run the Decryptor
Launch as administrator and enable internet connection. Enter the victim ID found in filenames or ransom note, and proceed with decryption.
Also read: How to Decrypt Securotrop Ransomware (.securutrop) Files Safely?
Offline vs Online Decryption Methods
Offline recovery suits environments without network access—files transferred via external media. Online recovery offers faster turnaround, live monitoring, and encrypted transmission to secure servers. Our decryptor supports both workflows.
What Is REVRAC Ransomware?
REVRAC is a Makop‑family crypto‑ransomware that encrypts files appending the victim’s ID and .REVRAC extension. It alters desktop wallpaper, drops a ransom note, and demands contact to restore files. The attackers explicitly warn against third‑party decryptors and file renaming.
Attack Timeline & Victim Data
Organizations Affected by Sector
Timeline of REVRAC Attacks (from discovery to July 2025)
Ransom Note Dissected
The note reads:
YOUR FILES ARE ENCRYPTED
Your files, documents, photos, databases and other important files are encrypted.
You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.
Only we can give you this key and only we can recover your files.To be sure we have the decryptor and it works you can send an email: TechSupport@cyberfear.com and decrypt one file for free.
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets,sql. etc.)
Do you really want to restore your files?
Write to email: OnlyBuy@cyberfear.comYour personal ID is indicated in the names of the files and in the end of this message, before writing a message by email – indicate the name of the ID indicated in the files IN THE SUBJECT OF THE EMAIL
Attention!
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.YOUR ID: –
How REVRAC Works: TTPs, Tools Used, IOCs & Mitigations
Initial Access Vectors: How REVRAC Infiltrates Systems
REVRAC, being a variant of the Makop ransomware family, primarily spreads through deceptive email attachments, pirated software, or cracked tools. Threat actors often craft convincing phishing campaigns that trick users into executing malicious documents or executables. These emails frequently spoof trusted brands or vendors to bypass scrutiny. In other cases, REVRAC arrives bundled with free software downloaded from unreliable torrent sites or rogue downloaders.
Another entry point is exposed Remote Desktop Protocol (RDP) services. If an organization does not enforce strong authentication and network segmentation, REVRAC can brute-force its way into administrative accounts via open RDP ports. Some variants are also known to exploit unpatched vulnerabilities in VPNs and firewall devices.
Tools and Techniques Used by REVRAC Operators
Once inside a system, REVRAC affiliates execute a sequence of well-defined steps. These attackers deploy a toolkit that helps them move laterally, evade defenses, and escalate privileges:
- Mimikatz – Used to dump passwords and credentials from memory. This tool is critical for lateral movement.
- PsExec – Allows remote code execution, often used to launch REVRAC payloads across networked systems.
- Advanced Port Scanner & SoftPerfect Network Scanner – Used for internal reconnaissance, identifying other hosts and open ports.
- PuTTY & AnyDesk – These legitimate tools are used for establishing backdoors and persistent access.
- Everything.exe – Utilized to locate files of interest, such as backups or databases, before encryption.
- NLBrute – Deployed to brute-force RDP credentials.
- mc_hand.exe / Mouselock.exe – Custom binaries often observed in Makop-related campaigns, possibly tied to UI control or distraction.
- RClone, Mega, FileZilla – Facilitate quiet data exfiltration before encryption, enabling double extortion.
MITRE ATT&CK Mapping
REVRAC’s tactics align closely with several MITRE ATT&CK techniques:
| Tactic | Technique | ID |
| Initial Access | Spearphishing Attachment | T1566.001 |
| Execution | Malicious File Execution | T1059 |
| Persistence | Registry Run Keys / Startup Folders | T1547.001 |
| Privilege Escalation | Valid Accounts (Admin via RDP) | T1078 |
| Defense Evasion | Obfuscated Files or Information | T1027 |
| Discovery | System Network Configuration Discovery | T1016 |
| Lateral Movement | Remote Services: PsExec | T1021.002 |
| Credential Access | Credential Dumping: Mimikatz | T1003.001 |
| Collection | Data Staged in Central Location | T1074.001 |
| Exfiltration | Exfiltration Over Web Services | T1567.002 |
| Impact | Data Encrypted for Impact | T1486 |
Indicators of Compromise (IOCs)
Common indicators found in REVRAC infections include:
File Extensions and Names:
- Files encrypted with .REVRAC extension.
- Filenames altered to include: [victim_ID].[contact_email].REVRAC
Example: document.docx.[2AF20FA3].[OnlyBuy@cyberfear.com].REVRAC
Dropped Files:
- +README-WARNING+.txt – the ransom note.
- Custom BMP wallpaper named with random uppercase characters (e.g., AQXC.bmp) replacing desktop background.
Processes and Executables:
- Presence of mc_hand.exe, Everything.exe, NLBrute.exe, or Mouselock.exe.
- Abnormal execution from %Temp%, %AppData%, or %ProgramData%.
Network Indicators:
- Outbound connections to:
- onlybuy@cyberfear.com
- techsupport@cyberfear.com
- URLs like iplogger.com, mega.nz, rclone.org, or TOR-based URLs for double extortion.
- onlybuy@cyberfear.com
Hashes:
- Ransom note SHA-256 or unique hashes associated with wallpaper images or encrypted binaries (varies by sample).
Mitigation & Prevention Best Practices
Secure Remote Access:
- Always require multi-factor authentication (MFA) for RDP, VPN, and other remote services.
- Close or restrict unused ports and enforce account lockouts for repeated login failures.
Patch and Update:
- Apply all operating system and third-party software updates promptly. Unpatched systems are easy entry points.
BYOVD Defense:
- Block unverified or unsigned drivers at the kernel level to prevent abuse via “Bring Your Own Vulnerable Driver” (BYOVD) tactics.
Network Segmentation:
- Isolate critical servers and backup systems from general user networks. Enforce least-privilege access.
Backup & Recovery:
- Implement immutable backups (WORM) and store them offline or in secure cloud instances with retention policies.
- Regularly test backup integrity and recovery processes.
Monitoring and Detection:
- Use Endpoint Detection & Response (EDR) systems to track unauthorized credential access and suspicious process execution.
- Deploy SIEM solutions to correlate anomalous behavior, such as PowerShell misuse or unexpected encryption processes.
User Awareness:
- Train employees to spot phishing emails and report anomalies. Many REVRAC infections start with one mistaken click.
Conclusion: Restore Your Data, Reclaim Control
While REVRAC encryption may feel catastrophic, recovery remains possible through verified decryptors and professional guidance. Avoid malicious tools or panic decisions. Our decryptor and recovery process offers secure, reliable restoration using your valid victim ID and encrypted file set.
Frequently Asked Questions
Contact Us To Purchase The REVRAC Decryptor Tool
2 Comments