The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Surtr Ransomware

Mar 25, 2022 1:45:09 PM / by PolySwarm Tech Team


Arete recently reported on Surtr ransomware, a RaaS. A recently discovered Surtr sample paid tribute to the REvil/Sodinokibi ransomware gang.

What is Surtr Ransomware?

Surtr is a ransomware as a service (RaaS) targeting Windows systems and active since December 2021. The malware contains a warning to not be used in the Commonwealth of Independent States (CIS) including Russia, Ukraine, Armenia, Iran, Azerbaijan, Turkmenistan, Turkey, Georgia, Kazakhstan, Tajikistan, and Uzbekistan. Surtr uses a double extortion method, threatening to leak victim data if the ransom is not paid. The recently reported sample changes the victim’s system manufacturer name with “Tribute to the REvil <3.”

Surtr encrypts files in network shares and deletes volume shadow copies. It includes an exclusion list of extensions, file names, and folders to not encrypt. Surtr uses multilayer obfuscation and uses several anti-debugging and anti-sandboxing techniques. For file encryption, Surtr uses the Windows Native API “CryptGenRandom” to generate a 64bit random value, which in turn creates XOR keys used to encrypt the file’s contents. Surtr maintains persistence by copying itself into the StartUp folder and creating scheduled tasks to execute the ransomware on login and adds a registry value to restart the ransomware on reboot.

While Arete does not think Surtr has a direct link to REvil, they note the developers may have previously been affiliated with REvil, or the threat actors responsible for Surtr may be leveraging their mention of REvil to gain notoriety. REvil is the well-known ransomware gang that carried out attacks on Kaseya and several other high-profile entities. Law enforcement operations in late 2021 disrupted the group’s activities and resulted in the arrest of several individuals affiliated with REvil. Following these arrests, REvil announced its plan to cease operations.


PolySwarm has multiple samples associated with Surtr Ransomware.







You can use the following CLI command to search for all xx samples in our portal:

$ polyswarm link list -f Surtr

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Ransomware, Surtr, REvil, Sodinokibi

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts