New evidence has emerged that notorious REvil ransomware is back with a vengeance, as newly discovered samples indicate the group is now indiscriminate in choosing its targets.
Cybersecurity researchers from Secureworks analyzed new malware samples recently uploaded to VirusTotal and came to the conclusion that whoever was behind probably had access to REvil source code in the past.
This led researchers to believe this is likely the same group whose operations were shut down in late 2021.
Nothing is forbidden anymore
“The identification of multiple samples containing different modifications and the absence of a new official version indicate that REvil is under development,” the researchers said in a blog post announcing the news.
A new REvil leak site has recently emerged. This most recent sample, along with an older sample, discovered in October last year, all indicate that REvil is active again.
In these new versions, researchers spotted upgrades in the string decryption logic, making it rely on a new command-line argument. Hard-coded public keys have been updated, along with configuration storage location and data format for affiliate tracking.
But perhaps the biggest change is the removal of no-go regions. Older versions of REvil checked the geographical location of the infected terminal and, if it met certain criteria (for example, if it was in a Russian-speaking community), did not activate.
This is no longer the case.
“The October 2021 REvil sample removed code that verified that the ransomware was not running on a system that resided in a prohibited region,” the CTU researchers wrote. “This removal allowed REvil to run on any system, regardless of location.”
REvil was initially shut down after a joint US-Russian operation, with the Russians arresting over a dozen members.
As Russia’s invasion of Ukraine soured relations between it and the United States, the US government went ahead and unilaterally shut down its communication channel on cybersecurity with Moscow. . As a result, the United States also withdrew from the negotiation process regarding REvil.
Prior to Secureworks’ analysis, other cybersecurity companies warned of the resurgence of REvil, including Avast, Advanced Intel, R3MRUM and others.
Via: The Register