Demo
REvil Ransomware Returns: Who’s At Stake? - Talion

The REvil ransomware threat group was dismantled by Russian authorities mid-January 2022, but recent activity has shown a potential reappearance.

From changes in ransomware samples to reactivated pages on the dark web, there is no denying that development is occurring.

But are REvil back to business or is this simply part of a new operation?

 

The Root Of All REvil

REvil, short for Ransomware Evil, was first identified in April 2019 and has since become one of the most aggressive and prolific ransomware-as-a-service gangs active on the dark web. Attributed to the Russia-based group Gold Southfield, known for its financially motivated attacks, it’s one of the earliest groups to deliver double extortion tactics, which is now progressing into triple extortion as hackers go to extreme lengths to ensure pay out.

In the past year, you may have seen REvil in the headlines after two major high-profile attacks:

REvil was supposedly shut down in January, after the Russian authorities dismantled the crime group and charged several of its members, but now there are suggestions of return after almost 6 months of inactivity.

 

 

Is REvil Ransomware Really Back?

There have been multiple indications of REvil returning to the cyber landscape – everything from changes to source code, to reactivated pages on the dark web.

Security researchers have identified new ransomware samples that, after analysis, they believe indicate the developer has access to REvil’s source code, signaling the threat group’s return.

“The identification of multiple samples with varying modifications in such a short period of time and the lack of an official new version indicates that REvil is under heavy active development once again.”

Cybersecurity firm Avast have also disclosed that they’d blocked a ransomware sample in the wild that looked like a REvil variant, only a week after REvil’s data leak site in the TOR network was redirected to a new host on April 20th. The changes to these samples were dissected by Avast to reveal updates to its string decryption logic, the configuration storage location and the hard-coded public keys, as well as the TOR domains displayed in the ransom note.

Not only have new and updated ransomware samples been updated, but the page on the dark web with information about victims of cyber-attacks, known as Happy Blog, has been reactivated, with two new notable changes:

  • Oil India – they suffered a ransomware attack on 10th April by an unknown threat group which demanded a $7.9 million ransom, and the site features a few of the company’s internal documents
  • Recruitment page – promises hackers an 80/20 split on ransom payments if they were to join, appearing suspiciously similar to the tactics the gang were using before they were taken down by the FSB

 

With these subtle yet significant modifications to samples and the dark web, organisations must stay on high alert. Could REvil be preparing to strike again? And would they side with Russia in the current conflict alongside Conti? There could be some rebellious retaliation attacks on our hands.

 

Is It REvil Or Is It Trying To Be REvil?

Experts are currently divided on whether REvil has truly returned, raising more questions than it does answers. Security researchers have noted that “it is not uncommon for today’s cyber extortion groups to disappear and re-emerge in other forms or rebrand” – perhaps the return of REvil is simply another blip in their extending timeline.

However, it is interesting that the same site is being re-used, with both old and new victims of REvil displayed, and it could be that someone is trying to use the REvil reputation without being connected to the original group. Does this show that REvil ransomware is becoming a jump-on-the-wagon scheme where aspiring hackers can showcase their skills? What would this mean for victimised organisations? Is it a never-ending hacker chase?

With this in mind, a Senior Cybersecurity Expert has suggested that the chase may really be on:

“The return may have been facilitated by Russian law enforcement to entrap other members of REvil’s former operation.”

The FSB could indeed be luring in other cybercriminals, since traditional methods like investigative research have become less effective, relying on hackers making mistakes. Although, with more and more new victims being posted to the site, it appears less likely that this is the case.

 

 

Whether REvil ransomware has returned or not, organisations must be aware of the repercussions of an unpredictable cyber landscape – no one knows what is around the corner.

Researchers are keeping an eye on REvil activity over the coming weeks and months to further interpret what is happening, and for now all we can do is stay on high alert.

Read our Top 8 Ransomware Mitigation Tactics to refresh yourself on key security practices.

Discover more about our #RansomAware campaign.

Any questions?

Contact us at hello@talion.net

 
Leave a comment

Filed in Blog, by Talion. 0 comments
Watch demo video
We’re a tight-knit, highly skilled operation, so when a threat arises, we move quickly.
Talion
Watch demo video
We’re a tight-knit, highly skilled operation, so when a threat arises, we move quickly.
Talion
24x7x365 UK-based Security Operations Centre
Talion
Service underpinned by market leading threat intelligence team
Talion
Continually developed threat relevant content, backed by SLAs
Talion
MDR service has featured in the Gartner Magic Quadrant for 6 consecutive years
Talion
Experts in SIEM and SOAR technology
Talion
UK-based Senior Leadership
I'm ready
Request a more in-depth demo.
Discuss your cyber security needs
Fill in the form below and one of our team will be in touch to arrange your demo.

Call us on 0800 048 5775

Call us directly and we’ll put you in touch with the most relevant cyber expert.

Send us a message

Give us a brief description of what you’re looking for and we’ll put you in touch with the best person.