Amid escalating tensions between Russia and the United States, the infamous REvil ransomware operation has resurfaced, armed with new infrastructure and a tweaked encryptor that allows for more targeted cyberattacks. The REvil ransomware group was shut down in October when its Tor servers were seized by law enforcement, followed by arrests of members by Russian authorities. However, following the invasion of Ukraine, Russia claimed that the US had dropped out of the REvil gang negotiations and shut down communication links.
Soon after, the old REvil Tor infrastructure started up again. But, instead of redirecting users to old domains, they turned them towards URLs for a new ransomware operation that has yet to be identified. Even though these sites did not resemble REvil’s prior websites, the old infrastructure referring to the new sites showed that REvil was most likely back in business. Additionally, the data on these new sites combined new victims and data acquired from past REvil operations. While these occurrences suggested that REvil had rebranded as the new unknown organization, the Tor sites had previously posted a message indicating that “REvil is bad” in November.
Because other threat actors or law enforcement got access to REvil’s TOR sites due to this access, the websites alone were not sufficient proof of the gang’s reappearance. Finding a sample of the ransomware encryptor and analyzing it to see if it was patched or compiled from source code was the only way to know whether REvil was back. AVAST researcher Jakub Kroustek obtained a sample of the new ransomware operation’s encryptor this week, confirming the new operation’s links to REvil.
While a few ransomware operations use REvil’s encryptor, they always employ patched executables. Multiple security experts and malware analysts have said that the newly found REvil sample employed by the new operation is built from source code and contains novel alterations. According to a tweet from security expert R3MRUM, the REvil sample has had its version number altered to 1.0. However, it is a continuation of the latest version, 2.08, provided by REvil before they shut down.
The researcher stated during a discussion that he was unable to explain why the encryptor does not encrypt files but that he believes it was constructed from source code.
“Yes, my assessment is that the threat actor has the source code. Not patched like “LV Ransomware” did,” R3MRUM told.
The REvil sample was also reverse-engineered this weekend by Advanced Intel CEO Vitali Kremez, who confirmed it was generated from source code on April 26th and was not patched. According to Kremez, the latest REvil sample has a new configuration parameter called ‘accs,’ which holds credentials for the specific victim the attack is aimed at. He believes that the ‘accs’ configuration option is used to block encryption on other devices that don’t have the given accounts or Windows domains, allowing for highly targeted assaults.
The latest REvil sample’s setup has changed the SUB and PID options, which are used as campaign and affiliate identities, to employ more extended GUID-type numbers, such as ‘3c852cc8-b7f1-436e-ba3b-c53b7fc6c0e4.’ Furthermore, while there are significant modifications between the previous REvil sites and the renamed operation, the site is very identical to the originals after a victim goes in, and the threat actors claim to be ‘Sodinokibi.’ While the original public-facing REvil representative known as ‘Unknown’ is still absent, threat intelligence researcher FellowSecurity claims that one of REvil’s original core developers, who was formerly a member of the last team, has resumed the ransomware operation.
Given that they were a core developer, it’s reasonable to assume that they had access to the whole REvil source code and the Tor private keys for the previous sites. Given the deteriorating ties between the United States and Russia, it’s hardly unexpected that REvil has been renamed under the new operation. When ransomware operations rebrand, it’s usually to get around law enforcement or sanctions that restrict ransom payments. As a result, it’s rare for REvil to make such a big deal about their reappearance rather than trying to hide like so many other ransomware rebrands.