[ad_1]
The notorious REvil ransomware operation has returned amid rising tensions between Russia and the US, with new infrastructure and a modified encryptor that allows for more targeted attacks.
In October, the REvil ransomware gang was shut down after a police operation hijacked its Tor servers, followed by arrests of members by Russian law enforcement.
However, after the invasion of Ukraine, Russia declared that the US had withdrawn from the negotiation process regarding the REvil gang and closed communication channels.
REvil’s Tor Sites Come Back to Life
Soon after, the old REvil Tor infrastructure started working again, but instead of displaying the old websites, it redirected visitors to URLs for a new unnamed ransomware operation.
While these sites were nothing like previous REvil websites, the fact that the old infrastructure was redirected to the new sites indicated that REvil was probably up and running again. Additionally, these new sites contained a mix of new victims and data stolen during previous REvil attacks.
While these events clearly indicated that REvil rebranded itself as the new unnamed operation, Tor sites had also previously displayed a message in November that “REvil is bad.”
This access to Tor sites meant that other threat actors or law enforcement had access to REvil’s TOR sites, so the websites themselves were not strong enough evidence of the gang’s return.
The only way to know for sure if REvil had returned was to find a sample of the ransomware encryptor and analyze it to determine if it was patched or compiled from source code.
A sample of the encryptor from the new ransomware operation was finally discovered this week by AVAST research jakub kroustek and has confirmed the links of the new operation with REvil.
Ransomware sample confirms return
While some ransomware operations use REvil’s encryptor, they all use patched executables instead of having direct access to the gang’s source code.
However, several security researchers and malware analysts have told BleepingComputer that the discovered REvil sample used by the new operation is compiled from source code and includes new changes.
security researcher R3MRUM has tweeted that the REvil sample has changed its version number to 1.0 but it is a continuation of the last version, 2.08, released by REvil before they shut down.
In a conversation with BleepingComputer, the researcher said he couldn’t explain why the encryptor doesn’t encrypt files, but believes it was compiled from source code.
“Yes, my assessment is that the threat actor has the source code. Not patched like “LV Ransomware” did,” R3MRUM told BleepingComputer.
Advanced Intel CEO Vitaly Kremez also reverse-engineered the REvil sample this weekend and confirmed to BleepingComputer that it was compiled from source code on April 26 and was not patched.
Kremez told BleepingComputer that the new REvil sample includes a new configuration field, ‘accs’, which contains the credentials of the specific victim targeted by the attack.
Kremez believes that the ‘accs’ configuration option is used to bypass encryption on other devices that do not contain the specified Windows domains and accounts, allowing highly targeted attacks.
In addition to the ‘accs’ option, the new REvil sample configuration has modified the SUB and PID options, used as campaign and affiliate identifiers, to use longer GUID type values, such as ‘3c852cc8-b7f1-436e-ba3b -c53b7fc6c0e4’.
BleepingComputer also tested the ransomware sample and although it did not encrypt it, it did create the ransom note, which is identical to the old REvil ransom notes.
Also, while there are some differences between the old REvil sites and the renamed operation, once the victim logs into the site, it is almost identical to the original ones, with the threat actors claiming to be ‘Sodinokibi’, as shown then.
While REvil’s original public-facing representative known as ‘Unknown’ is still missing, threat intelligence researcher PartnerSecurity told BleepingComputer that one of REvil’s original lead developers, who was part of the old team, relaunched the ransomware operation.
Since this was a core developer, it would make sense that they would also have access to the full REvil source code and potentially Tor private keys for the old sites.
Not surprisingly, REvil has changed names under the new operation, especially with US-Russian relations on the decline.
However, when ransomware operations change brands, they usually do so to evade law enforcement or sanctions that prevent ransom payments.
Therefore, it is unusual for REvil to be so public about its return, instead of trying to evade detection as we have seen in so many other ransomware rebrands.
[ad_2]