Just when you thought it was safe, REvil has returned! According to reports, the notorious REvil ransomware operation has returned amidst rising tensions between Russia and the USA, with new infrastructure and a modified encryptor allowing for more targeted attacks.
According to Bleeping Computer (REvil ransomware returns New malware sample confirms gang is back, written by Lawrence Abrams – hat tip to Sharon Nelson’s excellent Ride the Lightning blog for the initial coverage), REvil has returned because, after the invasion of Ukraine, Russia stated that the US had withdrawn from the negotiation process regarding the REvil gang and closed communications channels.
The REvil ransomware gang had shut down in October after a law enforcement operation hijacked their Tor servers, followed by arrests of members by Russian law enforcement (which I covered here). However, after the negotiation process broke down, the old REvil Tor infrastructure began operating again, but instead of showing the old websites, they redirected visitors to URLs for a new unnamed ransomware operation.
While these sites looked nothing like REvil’s previous websites, the fact that the old infrastructure was redirecting to the new sites indicated that REvil was likely operating again. Furthermore, these new sites contained a mix of new victims and data stolen during previous REvil attacks.
While these events strongly indicated that REvil rebranded as the new unnamed operation, the Tor sites had also previously displayed a message in November stating that “REvil is bad”, so the websites themselves were not strong enough proof of the gang’s return.
The only way to know for sure whether REvil was back was to find a sample of the ransomware encryptor and analyze it to determine if it was patched or compiled from source code. BleepingComputer has been told by multiple security researchers and malware analysts that the discovered REvil sample used by the new operation is compiled from source code and includes new changes, confirming the new operation’s ties to REvil.
The article (via the link above) has considerably more information about REvil’s return. Like it or not, REvil has returned – at least in some form. Protect those devices!
So, what do you think? Are you surprised that REvil has returned? Please share any comments you might have or if you’d like to know more about a particular topic.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.