The REvil group continues to enhance REvil. Version 2.2 has a couple new features identified by Intel 471. Supports encryption of open or locked files!
REvil ransomware persists on a machine if the arn configuration field is set to true . It writes its path to the registry key SOFTWARE\Microsoft\Windows\CurrentVersion\Run . An example of the value name of the registry key entry is mjOObKp0yy .
Restart Manager to terminate processes
One of the more interesting new features of REvil version 2.2 is the use of the Windows Restart Manager to terminate processes and services that can lock files targeted for encryption.
For more info: