Just when you thought it was safe, REvil has returned! According to reports, the notorious REvil ransomware operation has returned amidst rising tensions between Russia and the USA, with new infrastructure and a modified encryptor allowing for more targeted attacks.
According to Bleeping Computer (REvil ransomware returns New malware sample confirms gang is back, written by Lawrence Abrams – hat tip to Sharon Nelson’s excellent Ride the Lightning blog for the initial coverage), REvil has returned because, after the invasion of Ukraine, Russia stated that the US had withdrawn from the negotiation process regarding the REvil gang and closed communications channels.
The REvil ransomware gang had shut down in October after a law enforcement operation hijacked their Tor servers, followed by arrests of members by Russian law enforcement (which I covered here). However, after the negotiation process broke down, the old REvil Tor infrastructure began operating again, but instead of showing the old websites, they redirected visitors to URLs for a new unnamed ransomware operation.
While these sites looked nothing like REvil’s previous websites, the fact that the old infrastructure was redirecting to the new sites indicated that REvil was likely operating again. Furthermore, these new sites contained a mix of new victims and data stolen during previous REvil attacks.
While these events strongly indicated that REvil rebranded as the new unnamed operation, the Tor sites had also previously displayed a message in November stating that “REvil is bad”, so the websites themselves were not strong enough proof of the gang’s return.
The only way to know for sure whether REvil was back was to find a sample of the ransomware encryptor and analyze it to determine if it was patched or compiled from source code. BleepingComputer has been told by multiple security researchers and malware analysts that the discovered REvil sample used by the new operation is compiled from source code and includes new changes, confirming the new operation’s ties to REvil.
The article (via the link above) has considerably more information about REvil’s return. Like it or not, REvil has returned – at least in some form. Protect those devices!
So, what do you think? Are you surprised that REvil has returned? Please share any comments you might have or if you’d like to know more about a particular topic.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.
The “REvil Gang Revival” is more a “REvil Brand Revival”. The old gang never left the playing field, as reported by Andy Jenkinson, Michael Schwartz, Brett Callow, Jakub Kroustek and a host of cybersecurity/cyber attack experts you can follow on Linkedin and via their blogs.
And as I reported in January, the arrest by Russian officials “of 14 members of the REvil group after raiding more more than two dozen locations” was all “ransomware diplomacy theatre”. Yes, Russia busted some alleged participants in the REvil operation but they were all lower-level players. Russia could say “see, we are really doing something!” and the U.S. could say “see, we are really doing something!” – just one month before the start of the UN prototcol negotiations on a comprehensive cyber crime treaty with its principal sponsors being … YOU GUESSED IT! … the U.S. and Russia. Oh, yeah, and one month before Russia’s invasion of Ukraine. But Russia got that UN protocol going with its first meeting and 47 states participating so the U.S. could not pull out now. Oh, what fools these mortals be. A few weeks ago the U.S. said “because of Ukraine invasion we need to postpone/kill these protocol negotiations” but Russia’s obedient puppy dog countries said “No way! Get out if you want!” We in the West have no clue how well Russia plays in the outer reaches of the world.
Even Israeli threat intelligence firm Kela reported that the REvil majors “never left the playing field”. The principals behind REvil never missed a beat.
The original REvil group did fragment, with members working with other ransomware operations. What we have now is some members of the old group making a (half-hearted attempt) to resurrect the REvil “brand”, not the company. But the tepid revival raises the question of what constitutes a group. Brett Callow (who looked at the same info as BleepingComputer) noted what we seem to have is a couple of satellite members working together to re-create the ransomware gang’s original operation – it is not the original group – and they do not seem to pose an equal threat. And, he said, it is a bit weird:
“The fact that the new operation appears to be linked to REvil doesn’t make the threat it poses any more or less serious. I find it somewhat surprising to see the ransomware revived as, after being compromised by law enforcement, you’d think affiliates and service providers would have no confidence in the integrity of any operation connected with REvil.”
He and Avast security researcher Jakub Kroustek were posting concerns over the “REvil Brand revival” back in early April, before BleepingComputer.
Neither of them think the old REvil gang is back. All it means they say is that these breadcrumbs suggest that someone (or someones) has access to the REvil group’s source code and infrastructure and may be restarting the operation. But no way the old crew getting back together. We know they are onto to other things. Instead, they simply indicate that one or more people who were previously connected with the operation have decided to pick up the reins and see what they can do.
But either way, the apparent resurrection of the brand highlights the difficulty that cybersecurity professionals, law enforcement, and prosecutors have in disrupting successful cybercriminal groups.
And all the cyber mavens I spoke with said the discovered samples being floated around are modified in a way that its core feature, file encryption, was disabled. This may indicate that the actor is testing and developing it for future malware campaigns. So there is probably something else afoot.
Thanks for all the additional information, Gregory! I should have checked with you first as I know you’ve written on this topic. 🙂
No worries. I have learned from Steve King and Andy Jenkinson and Mathew Schwartz and Garett Moreau and a host of other cybersecurity mavens on LI and elsewhere that cyber is a difficult follow. You need a village – and time. And never, EVER take a mainstream media article at face value.
Remember: I have a 6-person media team and 2 of them only cover cyber. Although now everybody is also on Ukraine. And I knew the UN thing was coming up (2 years late due to COVID). So when the “joint 🇺🇸 🇷🇺 Revil operation” was announced after all those Russian cyber attacks on the U.S. I thought 🤔 … that’s 💩. And began calling my “village”.