The REvil ransomware group is back up and running with new infrastructure and a modified encryptor after being supposedly shut down last year.
In October 2021, the notorious ransomware gang was shut down after a law enforcement operation hijacked its Tor servers. This was followed by the arrest of several of its key members by the Russian FSB.
As Russia’s invasion of Ukraine soured relations between it and the United States, the US government went ahead and unilaterally shut down its communication channel on cybersecurity with Moscow. . As a result, the United States also withdrew from the negotiation process regarding REvil.
While it seemed a little over there that REvil had closed shop for good, the group’s old Tor infrastructure recently started working again. However, instead of displaying old websites, its Tor servers redirected visitors to URLs for a new unnamed ransomware operation, according to a report by BeepComputer.
A new REvil encryptor
Websites get redirected all the time, that’s why finding a fresh sample of REvil’s ransomware encryptor and analyzing it is the only way to know if the cybercriminal group is really back or not.
Fortunately, Avast Malware Research Director Jakub Kroustek recently found a sample of the encryptor used by the new ransomware group which may or may not be REvil. It should be noted that other ransomware operations have used REvil’s encryptor in the past, but they have all used patched executables instead of having direct access to the group’s source code.
Several security researchers and malware analysts who spoke with BeepComputer have confirmed that this new sample is compiled from REvil source code although it includes new changes. In a post on Twittersecurity researcher R3MRUM said that although the sample version number is 1.0, it is actually a continuation of the last encryption version of REvil (2.08) which was released before the shutdown. band.
Advanced Intel CEO Vitali Kremez was also able to reverse engineer the sample in question and he confirmed BeepComputer that it was compiled from source code on April 26 and not patched.
Although REvil’s first public representative known as “Unknown” is still missing, threat intelligence researcher FellowSecurity told the outlet that one of the ransomware group’s main developers had revived the operation. under a new name.
At this time, we still don’t know what this renamed version of the REvil ransomware group refers to, but now that REvil is back, expect to see more high profile attacks against important and valuable targets around the world. entire.