New malware sample confirms the gang is back

0
364

[ad_1]

The notorious REvil ransomware operation has returned amid rising tensions between Russia and the US, with new infrastructure and a modified encryptor that allows for more targeted attacks.

In October, the REvil ransomware gang was shut down after a police operation hijacked its Tor servers, followed by arrests of members by Russian law enforcement.

However, after the invasion of Ukraine, Russia declared that the US had withdrawn from the negotiation process regarding the REvil gang and closed communication channels.

REvil’s Tor Sites Come Back to Life

Soon after, the old REvil Tor infrastructure started working again, but instead of displaying the old websites, it redirected visitors to URLs for a new unnamed ransomware operation.

While these sites were nothing like previous REvil websites, the fact that the old infrastructure was redirected to the new sites indicated that REvil was probably up and running again. Additionally, these new sites contained a mix of new victims and data stolen during previous REvil attacks.

While these events clearly indicated that REvil rebranded itself as the new unnamed operation, Tor sites had also previously displayed a message in November that “REvil is bad.”

This access to Tor sites meant that other threat actors or law enforcement had access to REvil’s TOR sites, so the websites themselves were not strong enough evidence of the gang’s return.

REvil's tor sites are defaced with an anti-REvil message
REvil’s tor sites are defaced with an anti-REvil message
Source: BleepingComputer

The only way to know for sure if REvil had returned was to find a sample of the ransomware encryptor and analyze it to determine if it was patched or compiled from source code.

A sample of the encryptor from the new ransomware operation was finally discovered