New evidence has emerged that the renowned REvil ransomware is back with a fury, with recovered samples indicating that the group is now targeting everyone.
Secureworks experts reviewed fresh malware samples recently uploaded to VirusTotal and concluded that whoever was behind it had previous access to REvil's source code.
This led the researchers to believe it was the same group that closed down in late 2021.
"The developer had access to REvil's source code, bolstering the idea that the threat organization has resurfaced," Secureworks Counter Threat Unit experts said (CTU). "
"The discovery of so many models with various alterations in such a short period of time, as well as the lack of an official new version, demonstrates that REvil is once again in active development."
A new REvil leak site has appeared on the internet. This fresh sample and an older one obtained in October of last year all point to REvil being active once more.
In these latest versions, researchers discovered improvements to the string decryption mechanism, forcing it to use a new command-line option. The location of configuration storage and the data format for affiliate tracking have been modified, as have hard-coded public keys.
The most important change is the removal of off-limits locations. REvil would examine the geographical location of the infected endpoint in previous versions and would not activate if it fulfilled specified requirements.
"The discovery of so many models with various alterations in such a short period of time, as well as the absence of an official new version, demonstrates that REvil is once again in active development."
It was also one of the first to deploy a dual blackmail method. Data taken via intrusions is used to gain further power and force victims to pay.
The ransomware group has been active since 2019, making headlines last year for their well-known attacks on JBS and Kaseya, causing the gang to close business in October 2021 after a real action. The server infrastructure is taken over by law enforcement.
Earlier this January, Russia's Federal Security Service (FSB) conducted raids at 25 separate sites across the nation, arresting many members of a cybercriminal group.
On April 20, REvil's TOR data leak site began redirecting to new servers. A week later, cybersecurity firm Avast revealed that it had blocked a ransomware sample in the wild that "seems like a new Sodinokibi/REvil. difference."
As Russia's invasion of Ukraine strained relations with the United States, the US government shut down its cybersecurity communication channel with Moscow. As a result, the US has also pulled out of the REvil negotiations.
Even though the pattern in question involved unencrypting the file and just adding a random extension, Secureworks interpreted it as a programming fault in the renaming function of the encrypted file.