It appears that the Russian-speaking REvil ransomware group known for its high-profile cyberattacks against multiple companies across the world has reared its head once again. The group ceased operations last October after a law enforcement operation took control of their Tor servers and several members of REvil were arrested by Russian police.
However, following the Russian invasion of Ukraine in February 2022 the old REvil Tor infrastructure went back to life redirecting users to URLs for a new unnamed ransomware operation. According to the technology news site Bleeping Computer, these new websites contained new victims and data stolen in the previous REvil hacks.
Although the resurrection of old REvil Tor infrastructure doesn’t necessarily mean that the gang began operating again, a sample of the new ransomware operation's encryptor spotted by security researchers indicates the group’s return.
The discovered sample used by the new operation is compiled from REvil source code and appears to be a continuation of the last version, 2.08, released by REvil before they shut down. Currently, the new sample doesn’t encrypt files, but it creates a ransom note identical to ransom notes displayed in previous REvil attacks.
Another interesting detail the researchers have observed is that the new REvil ransomware includes a new configuration field, 'accs,' which contains credentials for the specific victim that the attack is targeting likely to prevent encryption on other devices that do not contain the specified accounts and Windows domains, thus allowing for highly targeted attacks.
According to threat intelligence researcher FellowSecurity, the REvil ransomware operation was relaunched by one of the group’s original core developers.
“However, when ransomware operations rebrand, they typically do it to evade law enforcement or sanctions preventing the payment of ransoms. Therefore, it is unusual for REvil to be so public about their return, rather than trying to evade detection like we have seen in so many other ransomware rebrands,” Bleeping Computer noted.
Cybersecurity Help statement on the critical situation in Ukraine
On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!