Amid escalating tensions between Russia and the United States, the legendary REvil ransomware operation has resurfaced, armed with new infrastructure and a tweaked encryptor that allows for more targeted attacks. The REvil ransomware group was shut down in October when its Tor servers were stolen by government enforcement, followed by arrests of members by Russian authorities. However, following the invasion of Ukraine, Russia claimed that the US had dropped out of the REvil gang negotiations and shut down communication links.
REvil’s Tor sites come back to life
Soon after, the old REvil Tor infrastructure started up again, but instead of redirecting visitors to old websites, they redirected them to URLs for a new ransomware operation that has yet to be named. Despite the fact that these sites did not resemble REvil’s previous websites, the fact that the old infrastructure was referring to the new sites showed that REvil was most likely back in business. Additionally, the data on these new sites was a combination of new victims and data acquired during past REvil assaults.
While these events definitely suggested that REvil had rebranded as the new unknown organisation, the Tor sites had previously posted a message stating that “REvil is terrible” in November. Because other threat actors or law enforcement got access to REvil’s TOR sites as a result of this access, the websites themselves were not sufficient proof of the gang’s reappearance.
REvil’s tor sites are defaced with an anti-REvil message Source: BleepingComputer
Finding a sample of the ransomware encryptor and analysing it to see if it was patched or compiled from source code was the only way to know for sure whether REvil was back. AVAST research Jakub Kroustek obtained a sample of the new ransomware operation’s encryptor this week, confirming the new operation’s ties to REvil.
Ransomware sample confirms return
While REvil’s encryptor is used by a few ransomware operations, they all use patched executables rather than having direct access to the gang’s source code. Multiple security researchers and malware analysts have alerted BleepingComputer that the detected REvil sample utilised by the new operation is compiled from source code and includes fresh alterations.
The REvil sample has had its version number changed to 1.0, however it is a continuation of the last version, 2.08, provided by REvil before they shut down, according to security expert R3MRUM.
The researcher told BleepingComputer that he doesn’t know why the encryptor doesn’t encrypt data, but that he believes it was constructed from source code. “Yes, the threat actor, in my opinion, has the source code. Unlike “LV Ransomware,” this one hasn’t been patched “R3MRUM revealed this to BleepingComputer.
The REvil sample was also reverse-engineered this weekend by Advanced Intel CEO Vitali Kremez, who confirmed to BleepingComputer that it was created from source code on April 26th and was not patched. The new REvil sample, according to Kremez, includes a new configuration parameter called ‘accs,’ which holds credentials for the specific victim the assault is aimed at. The ‘accs’ configuration option, according to Kremez, is used to block encryption on other devices that don’t have the given accounts or Windows domains, allowing for highly targeted attacks.
The latest REvil sample’s setup has changed the SUB and PID options, which are used as campaign and affiliate identities, to utilise longer GUID-type values, such as ‘3c852cc8-b7f1-436e-ba3b-c53b7fc6c0e4.’ While the ransomware sample did not encrypt, it did construct a ransom note that is identical to REvil’s previous ransom notes, according to BleepingComputer.
Furthermore, while there are significant modifications between the old REvil sites and the rebranded operation, it is nearly identical to the originals after a victim logs in, and the threat actors pretend to be ‘Sodinokibi,’ as demonstrated below.
Despite the fact that the initial public-facing REvil representative known as ‘Unknown’ is still missing, threat intelligence expert FellowSecurity told BleepingComputer that one of REvil’s original core developers, who was part of the former team, resumed the ransomware operation. As a core developer, it’s likely they had access to the whole REvil source code as well as the old sites’ Tor private keys.
Given the deteriorating relations between the United States and Russia, it’s hardly unexpected that REvil has renamed under the new operation. When ransomware operations rebrand, it’s usually to get around law enforcement or sanctions that prevent ransom payments. As a result, it’s unusual for REvil to make such a big deal about their reappearance, rather than trying to hide like so many other ransomware rebrands.