REvil ransomware is officially back, experts claim

By Sead Fadilpašić
published

New variants, new website, REvil appears to be back up and running

Representational image depecting cybersecurity protection
(Image credit: Shutterstock)

Fresh evidencehas emerged that the notorious REvil ransomware (opens in new tab) is back with a vengeance, as newly discovered samples point to the fact that the group is now indiscriminate in the choice of its targets.

Cybersecurity researchers from Secureworks analyzed new malware (opens in new tab) samples recently uploaded to VirusTotal and came to the conclusion that whoever was behind it probably had access to REvil’s source code in the past. 

That led the researchers to believe that this is probably the same group whose operations were shut down late in 2021.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab)

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.

Nothing is off limits any more

"The identification of multiple samples containing different modifications and the lack of an official new version indicate that REvil is under active development," the researchers said in a blog post announcing the news.

A new REvil leak site was recently sprung up. This newest sample, as well as an older sample, discovered in October last year, all point to REvil being active again.

In these new versions, researchers spotted upgrades in the string decryption logic, making it rely on a new command-line argument. Hard-coded public keys have been updated, as well as configuration storage location and the data format for affiliate tracking.

But perhaps the biggest change is the removal of off-limits regions. Older versions of REvil would check the geographical location of the infected endpoint, and if it met certain criteria (for example, if it was in a Russian-speaking community), would not activate. 

This is no longer the case.

"The October 2021 REvil sample removed code that verified the ransomware was not executing on a system that resided within a prohibited region," the CTU researchers wrote. "This removal enabled REvil to execute on any system regardless of its location."

Read more

> REvil Tor sites have come back to life (opens in new tab)

> REvil is back - and wants to rebuild its reputation (opens in new tab)

> REvil ransomware group is back with a vengeance (opens in new tab)

REvil was initially shut down after a joint US-Russia operation, with the Russians arresting more than a dozen members. 

As Russia’s invasion of Ukraine soured relations between it and the US, the US government went ahead and unilaterally shut down the communication channel it had on cybersecurity with Moscow. As a result, the US has also withdrawn itself from the negotiation process regarding REvil.

Prior to Secureworks’ analysis, other cybersecurity firms warned of REvil’s resurgence, including Avast, Advanced Intel, R3MRUM, and others.

Via: The Register (opens in new tab)

Sead Fadilpašić
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

See more Computing news