The REvil ransomware group is back in operation with new infrastructure and a modified encryptor after supposedly being shut down last year.
Back in October of 2021, the notorious ransomware gang was shut down after a law enforcement operation hijacked its Tor servers. This was then followed by several of its key members being arrested by Russia’s FSB.
As Russia’s invasion of Ukraine soured relations between it and the US, the US government went ahead and unilaterally shut down the communication channel it had on cybersecurity with Moscow. As a result, the US has also withdrawn itself from the negotiation process regarding REvil.
While it seemed for a bit there that REvil had closed shop for good, the group’s old Tor infrastructure recently began operating again. However, instead of showing old websites, its Tor servers redirected visitors to URLs for a new unnamed ransomware operation according to a report from BleepingComputer.
A new REvil encryptor
Websites are redirected all the time which is why finding a new sample of REvil’s ransomware encryptor and analyzing it is the only way to tell whether or not the cybercriminal group has really returned.
Fortunately, malware research director at Avast, Jakub Kroustek recently found a sample of the encryptor used by the new ransomware group that may or may not be REvil. It’s worth noting that other ransomware operations have used REvil’s encryptor in the past but they all used patched executables as opposed to having direct access to the group’s source code.
Multiple security researchers and malware analysts that spoke with BleepingComputer have confirmed that this new sample is compiled from REvil’s source code though it does include some new changes. In a post on Twitter, security researcher R3MRUM said that although the sample’s version number is 1.0, it is actually a continuation of REvil’s last encryptor version (2.08) which was released before the group was shut down.
Advanced Intel CEO Vitali Kremez was also able to reverse engineer the sample in question and he confirmed to BleepingComputer that it was compiled from source code on April 26 and not patched.
Although REvil’s original public-facing representative known as “Unknown” remains missing, threat intelligence researcher FellowSecurity told the news outlet that one of the ransomware group’s original core developers had relaunched the operation under a new name.
At this time, we still don’t know what this rebranded version of the REvil ransomware group refers to itself as but now that REvil is back, expect to see more high-profile attacks on important and valuable targets worldwide.