REvil has returned after a brief hiatus. After purportedly being shut down last year, they are back in business with infrastructure upgrades and an updated encryptor.
The renowned ransomware gang was shut down in October 2021 after law police hijacked its Tor servers. Following it, Russia's FSB arrested several of the group's prominent members.
As Russia's invasion of Ukraine strained relations with the United States, the US government has stepped ahead and shut down the cybersecurity communication channel it had with Moscow unilaterally. As a result, the United States has also withdrawn from the REvil negotiations.
REvil is a combination of "ransomware" and "evil." The hacker collective is based in Russia. REvil/Sodinokibi, or REvil.Sodinokibi is the moniker given to the organization's malware family by security researchers.
Ransomware, simply a file-blocking virus that encrypts files after infection, is used by gangs like REvil. The organization then sends a ransom client to the victims after the data has been taken and rendered inaccessible to them. Typically, the letter requests that the ransom be paid in cryptocurrency like Bitcoin. The demand doubles if the ransom is not paid on time. The apparent anonymity and convenience of online payment are two reasons cryptocurrencies are favored.
The gang REvil would steal data from computers, lock victims out of their computer systems, and then threaten to auction off the stolen data. It is a one-of-a-kind method of delivering more pressure on victims.
REvil also ran a company selling third-party hackers. Members of REvil would lease the ransomware to other hacker organizations to carry out a similar attack. They'd trade ransomware as a service (RaaS). REvil would get a portion of any ransomware payments made by the other group in exchange for employing its services and software.
The ransomware group has been linked to several high-profile attacks, including one against Quanta. This Taiwanese firm supplies Apple with data center equipment. REvil claimed it could steal vital information from Apple-like computer designs and wanted a $50 million ransom. REvil, on the other hand, "mysteriously erased any references relating to the extortion attempt from its dark web blog," as tech publication MacRumors reported in April. It's unknown whether Apple or Quanta paid the ransom at this time.
Websites are constantly redirected, so locating and analyzing a new sample of REvil's ransomware encryptor is the only method to determine whether or not the cybercriminal group has returned.
Fortunately, Jakub Kroustek, Avast's malware research director, just discovered a sample of the encryptor used by a new ransomware gang that may or may not be REvil. Other ransomware attacks have previously employed REvil's encryptor. Still, they all used patched executables rather than having direct access to the group's source code.
This new copy is constructed from REvil's source code, according to various security researchers and malware analysts who spoke with BleepingComputer. However, it does include some further alterations. Although the sample's version number is 1.0, security researcher R3MRUM claims that it is a continuation of REvil's final encryptor version (2.08) issued before the group was shut down.
Vitali Kremez, the CEO of Advanced Intel, was also able to reverse design the sample in the issue. He confirmed to BleepingComputer that it was created from source code on April 26 and not patched.
Although REvil's initial public-facing representative is still absent, threat intelligence researcher FellowSecurity told the news outlet that one of the ransomware group's original core creators had resumed the operation under a new moniker.
We don't know what this rebranded version of the REvil ransomware organization calls itself, but now that REvil has returned, expect additional high-profile attacks on critical and valuable targets around the world.