Security researchers believe that the notorious REvil ransomware gang has returned after discovering REvil source code in a new malware operation. Last year, several governments worked together to push REvil offline and arrested several of its members.
However, it appears growing tensions between the US and Russia over the Ukraine war, and a unilateral shutdown of cooperation and communication on cybersecurity, have allowed the group to resurface.
What is the REvil Ransomware Gang?
The REvil ransomware gang is a cybercriminal group that has carried out several high-profile cyberattacks in recent years. Some of its most notable victims include Acer, JBS Foods, and Kaseya. Its operations put the gang firmly on top of the most-wanted lists of high-profile US agencies, including the FBI and the Secret Service.
Consequently, several US government agencies worked along with their international counterparts to take down REvil’s Tor websites. This was followed by a coordinated effort to identify and arrest REvil gang members, which led to the extradition of one of the Kaseya hackers.
REvil’s Tor Sites Back Online in April
After months of inactivity, REvil’s Tor infrastructure came alive, re-directing visitors to URLs of a new ransomware operation. According to reports, these new websites look very different from REvil’s previous pages.
However, the fact that REvil’s old infrastructure is active once again raises suspicion among cybersecurity researchers. Additionally, the redirected sites contain a mix of new data as well as information previously stolen by REvil.
Still, the only way to confirm REvil’s participation in the new operation is by checking for its source code. For this, security researchers would have to analyze the new operation’s ransomware encryptor.
According to research from Bleeping Computer, a few other ransomware operations have used REvil’s encryptor in the past. However, they rely on patched executables, and do not have direct access to the group’s source code. AVAST Research’s Jakub Kroustek discovered a sample of the new operation’s encryptor in the wild last week, noting it was a variant of REvil’s code.
New REvil Sample Capable of Highly Targeted Attacks
In this case, multiple security researchers extensively studied the new operator sample. They confirmed that it contains REvil’s source code, and not just patches. According to Advanced Intel’s Vitali Kremez, the sample includes a new configuration field, ‘accs,’ which allows for highly targeted attacks. Interestingly, the researchers also noted that the encryptor does not encrypt files. They were unable to explain why this was the case.
Bleeping Computer tested the sample itself, and found that while it did not encrypt, it produced a ransomware note identical to previous REvil notes. Furthermore, once a user logs in to the redirected website, it is almost identical to REvil’s original site. The responsible actors have assumed the name Sodinokibi, which is another name for REvil and was popularly used in their previous operations.
Intelligence researchers also told Bleeping Computer they believed that one of REvil’s original developers relaunched the ransomware operation. If you’re interested in a rundown of organized cybercrime, we recommend checking out our detailed article on Ransomware-as-a-Service (RaaS).