REvil Ransomware Makes a Comeback
The Ransomware Operation Has Emerged with a New Infrastructure and a Modified Encryptor.
REvil ransomware (also known as Sodin) was discovered in April 2019 and has since been improved to be more difficult to detect. Once infected, it encrypts data and deletes the ransom request message. Upon receiving the message, the victim is informed that a bitcoin ransom must be paid and that, if the ransom is not paid in a timely manner, the demand will double.
REvil is an excellent example of Ransomware as a Service (RAAS), a type of cybercrime where two parties collaborate on a hack: the code writers who create the ransomware and the affiliates who distribute it and collect the payment. Sodinokibi ransomware is particularly damaging for businesses of all sizes because of this characteristic. The ransomware Sodinokibi, also known as Sodin or REvil, quickly rose to become the world’s fourth most widely disseminated malware, mostly affecting businesses in the United States and Europe.
While tensions between Russia and the United States are escalating, the famed REvil ransomware operation has reappeared, this time with new infrastructure and a tweaked encryptor that allows for more targeted attacks.
The Russian government said after the invasion of Ukraine that the United States had withdrawn from the negotiations with the REvil gang and had shut off communications connections with the group.
After a short period of time, the old REvil Tor infrastructure started to function again, but instead of redirecting users to the previous domains, they routed them to URLs for a new nameless ransomware operation instead.
Who uses RUTOR for ransomware adverts?
“The same proven (but improved) software” lol pic.twitter.com/RbEUbatYOL
— pancak3 (@pancak3lullz) April 19, 2022
The fact that the old infrastructure was referring to the new sites showed that REvil was most likely running again, even if the new websites looked nothing like REvil’s prior domains. The data on these new sites was a mixture of data from past REvil assaults, as well as data from fresh victims.
Despite the fact that these actions plainly suggested that REvil had rebranded as the new unknown organization, the Tor sites had previously shown a notice in November indicating that “REvil is evil.”
Because other threat actors or law enforcement agencies got access to REvil’s TOR sites as a result of this access, the websites themselves were not conclusive evidence of the gang’s reappearance.
According to security researcher R3MRUM, the REvil sample has had its version number altered to 1.0, but it is really a continuation of the previous version, 2.08, that was provided by REvil before they were forced to close their doors permanently.
Confirmed. Has a version value of 1.00 but initial code analysis shows that its a continuation of the last version (2.08x) released 🧐. For instance, presence of the ‘accs’ config element. There goes my weekend. https://t.co/2kgpbmDFOS pic.twitter.com/8EHDnlazAI
— R3MRUM (@R3MRUM) April 30, 2022
As BleepingComputer reports, in light of the deteriorating ties between the United States and Russia, it is no surprise that REvil has been renamed under the new operation.