Releases: cado-security/DFIR_Resources_REvil_Kaseya
Releases · cado-security/DFIR_Resources_REvil_Kaseya
Forensic Disk Image
A forensic DD image of a Windows Server compromised with REvil
The SHA256 of the malware is d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
It is in .gz format, split into a number of ZIP files- use something such as 7ZIP to open.
We manually deployed this over RDP - when reviewing compromised disks expect to see execution from the Kaseya agent at C:\Program Files (x86)\Kaseya...\AgentMon.exe instead