The REvil ransomware threat group was dismantled by Russian authorities mid-January 2022, but recent activity has shown a potential reappearance.
From changes in ransomware samples to reactivated pages on the dark web, there is no denying that development is occurring.
But are REvil back to business or is this simply part of a new operation?
REvil, short for Ransomware Evil, was first identified in April 2019 and has since become one of the most aggressive and prolific ransomware-as-a-service gangs active on the dark web. Attributed to the Russia-based group Gold Southfield, known for its financially motivated attacks, it’s one of the earliest groups to deliver double extortion tactics, which is now progressing into triple extortion as hackers go to extreme lengths to ensure pay out.
In the past year, you may have seen REvil in the headlines after two major high-profile attacks:
REvil was supposedly shut down in January, after the Russian authorities dismantled the crime group and charged several of its members, but now there are suggestions of return after almost 6 months of inactivity.
There have been multiple indications of REvil returning to the cyber landscape – everything from changes to source code, to reactivated pages on the dark web.
Security researchers have identified new ransomware samples that, after analysis, they believe indicate the developer has access to REvil’s source code, signaling the threat group’s return.
“The identification of multiple samples with varying modifications in such a short period of time and the lack of an official new version indicates that REvil is under heavy active development once again.”
Cybersecurity firm Avast have also disclosed that they’d blocked a ransomware sample in the wild that looked like a REvil variant, only a week after REvil’s data leak site in the TOR network was redirected to a new host on April 20th. The changes to these samples were dissected by Avast to reveal updates to its string decryption logic, the configuration storage location and the hard-coded public keys, as well as the TOR domains displayed in the ransom note.
Not only have new and updated ransomware samples been updated, but the page on the dark web with information about victims of cyber-attacks, known as Happy Blog, has been reactivated, with two new notable changes:
With these subtle yet significant modifications to samples and the dark web, organisations must stay on high alert. Could REvil be preparing to strike again? And would they side with Russia in the current conflict alongside Conti? There could be some rebellious retaliation attacks on our hands.
Experts are currently divided on whether REvil has truly returned, raising more questions than it does answers. Security researchers have noted that “it is not uncommon for today’s cyber extortion groups to disappear and re-emerge in other forms or rebrand” – perhaps the return of REvil is simply another blip in their extending timeline.
However, it is interesting that the same site is being re-used, with both old and new victims of REvil displayed, and it could be that someone is trying to use the REvil reputation without being connected to the original group. Does this show that REvil ransomware is becoming a jump-on-the-wagon scheme where aspiring hackers can showcase their skills? What would this mean for victimised organisations? Is it a never-ending hacker chase?
With this in mind, a Senior Cybersecurity Expert has suggested that the chase may really be on:
“The return may have been facilitated by Russian law enforcement to entrap other members of REvil’s former operation.”
The FSB could indeed be luring in other cybercriminals, since traditional methods like investigative research have become less effective, relying on hackers making mistakes. Although, with more and more new victims being posted to the site, it appears less likely that this is the case.
Whether REvil ransomware has returned or not, organisations must be aware of the repercussions of an unpredictable cyber landscape – no one knows what is around the corner.
Researchers are keeping an eye on REvil activity over the coming weeks and months to further interpret what is happening, and for now all we can do is stay on high alert.
Read our Top 8 Ransomware Mitigation Tactics to refresh yourself on key security practices.
Discover more about our #RansomAware campaign.
Any questions?
Contact us at hello@talion.net
Call us directly and we’ll put you in touch with the most relevant cyber expert.
Not currently free to call? Give us a brief description of what you’re looking for by filling out our form and we’ll email you as soon as we can.
Thought-provoking cyber security discussion at Michelin-star restaurants across the UK.
