The REvil ransomware gang is creeping back into the cybercrime scene through a new ransomware variant with limited capabilities. The variant, however, utilizes the same source code as the gang’s previous variant and emerges a week after the ransomware syndicate’s original leak site was revived.
Jakub Kroustek, a malware researcher at Avast, recently discovered a new ransomware sample similar to the one used by the REvil ransomware gang, almost confirming the return of the dreaded malicious threat actors. Kroustek said the variant is different from the original one and has a new config, mutex, and campaign ID, among other parameters.
Reverse engineer R3MRUM also confirmed the presence of the source code of the previous REvil variant in this new one. However, this one is versioned as 1.00, which is different from the 2.08x variant version that existed before the gang’s malicious operations were disrupted by law enforcement in multiple countries.
Confirmed. Has a version value of 1.00 but initial code analysis shows that its a continuation of the last version (2.08x) released ðŸ§. For instance, presence of the ‘accs’ config element. There goes my weekend. pic.twitter.com/8EHDnlazAIOpens a new window
— R3MRUM (@R3MRUM) April 30, 2022Opens a new window
A major difference between the old and this new REvil sample is that the new one, with a timestamp of April 27, 2022, cannot encrypt files on the target system. Nevertheless, R3MRUM pointed out the presence of the accs configuration element, which allows attacks against specific targets, much like the original REvil variant.
As of May 2, 48 out of 69Opens a new window security vendors and one sandbox on malware aggregator and scan engine VirusTotal flagged the new sample as malicious.
Upon successful infiltration and encryption of the target system, the new REvil variant, which identifies itself as Sodinokibi, leaves the following note:
A Ransom Note from REvil’s new Variant | Source: Jakub KroustekOpens a new window
See More: Is the REvil Ransomware Gang Back From the Brink, Or Is It an Impostor?
REvil emerged as one of the most prolific ransomware operations since it popped up, for a second time, in April 2019. The Russia-based threat actors are known to target organizations outside the Russian-speaking countries. According to IBM X-Force, it was responsible for carrying out almost one in three ransomware attacks in 2020, notching up ransom proceeds of up to $100 million.
According to the U.S. Department of Justice, REvil amassed around $200 million from ransom proceeds until it was made defunct.
In 2021, REvil continued to be highly effective in causing mass disruption to the normal business operations of Quanta, Acer, Kaseya, JBS Foods, and many others. The group even made some of the highest ransom demands ever.
Considered a national security threat to the U.S., the REvil gang was in trouble in the aftermath of the July 2021 Kaseya ransomware attack as the FBI was in hot pursuit. However, the trail turned cold when the gang went underground for a few months until September, when it re-emerged.
A month later, the REvil infrastructure was hacked and taken offline in a U.S-led multi-country operation. In November, the U.S. indicted two alleged REvil members (Yaroslav Vasinskyi and Yevgeniy Polyanin) and apprehended three others (two in Romania and one in Kuwait).
Finally, in January 2022, the Russian government took it upon itself to shutter REvil operations for good and arrested 14 REvil members at the behest of the U.S. government. Russia’s Federal Security Service (FSB) also seized 426 million rubles ($5.6 million) in cash, cryptocurrency worth $600,000, and 20 luxury cars from the gang members.
However, the 14 members were arrested for financial crimes, not ransomware operations. Moreover, none of these were developers. The latter are in the wild and possibly making a comeback.
In April this year, the leak site of REvil suddenly came back online, bewildering both white and black hat hackers. Visiting the site would redirect the user to a new leak site (active since mid-December) that listed REvil victims.
Researchers speculated it to be the work of an impostor (or a honeybot by law enforcement) since they are the ones who had access to the original leak site (called Happy Blog). The fact that the newly discovered REvil sample doesn’t encrypt data and files also seems unbecoming of the ransomware gang, weakened though it may be.
At the same time, it doesn’t necessarily refute the fear that the REvil gang is back from the dead.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebooOpens a new window k. We would love to hear from you!