The REvil ransomware group (opens in new tab) is back in operation with new infrastructure and a modified encryptor after supposedly being shut down last year.
Back in October of 2021, the notorious ransomware gang was shut down after a law enforcement operation hijacked its Tor servers (opens in new tab). This was then followed by several of its key members being arrested by Russia’s FSB (opens in new tab).
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.
As Russia’s invasion of Ukraine (opens in new tab) soured relations between it and the US, the US government went ahead and unilaterally shut down the communication channel it had on cybersecurity with Moscow. As a result, the US has also withdrawn itself from the negotiation process regarding REvil.
While it seemed for a bit there that REvil had closed shop for good, the group’s old Tor infrastructure recently began operating again (opens in new tab). However, instead of showing old websites, its Tor servers redirected visitors to URLs for a new unnamed ransomware operation according to a report from BleepingComputer (opens in new tab).
A new REvil encryptor
Websites are redirected all the time which is why finding a new sample of REvil’s ransomware encryptor and analyzing it is the only way to tell whether or not the cybercriminal group has really returned.
Fortunately, malware (opens in new tab) research director at Avast, Jakub Kroustek recently found a sample of the encryptor used by the new ransomware group that may or may not be REvil. It’s worth noting that other ransomware operations have used REvil’s encryptor in the past but they all used patched executables as opposed to having direct access to the group’s source code.
Multiple security researchers and malware analysts that spoke with BleepingComputer have confirmed that this new sample is compiled from REvil’s source code though it does include some new changes. In a post on Twitter (opens in new tab), security researcher R3MRUM said that although the sample’s version number is 1.0, it is actually a continuation of REvil’s last encryptor version (2.08) which was released before the group was shut down.
> Ransomware payments hit a new all-time high last year (opens in new tab)
> IT workers believe ransomware is as serious as terrorism (opens in new tab)
> These fake Windows 10 updates will land you with a ransomware infection (opens in new tab)
Advanced Intel CEO Vitali Kremez was also able to reverse engineer the sample in question and he confirmed to BleepingComputer that it was compiled from source code on April 26 and not patched.
Although REvil’s original public-facing representative known as “Unknown” remains missing, threat intelligence researcher FellowSecurity told the news outlet that one of the ransomware group’s original core developers had relaunched the operation under a new name (opens in new tab).
At this time, we still don’t know what this rebranded version of the REvil ransomware group refers to itself as but now that REvil is back, expect to see more high-profile attacks on important and valuable targets worldwide.
- Keep your devices virus free with the best malware removal software (opens in new tab)
Via BleepingComputer (opens in new tab)