REvil ransomware gang, which was pretty active in 2021, seems to be operational again. The Russian-speaking gang was shut down and the members were arrested by the Russian law enforcement. The USA and 16 more countries were involved in this operation; effectively hacking the gang’s TOR servers to shut down. Then a REvil gang member has been compromised after trying to restore the server from backups.
Many indicators
Because of the Russian invasion of Ukraine, many countries cut communications with the state and began forcing sanctions, alongside many companies. This includes the communication channel for cybersecurity between Russia and the USA; which means the USA has withdrawn from the negotiation process regarding the REvil gang. Now, the gang seems to be operational again; directing the old websites to a new URL for a new ransomware campaign. While the new site looks a lot different from the old one, it contains old data stolen by REvil attacks before they got arrested as well as new ones.
In order to confirm the gang is operational again, security researchers were looking for an encryptor sample to analyze it. At the end of April, AVAST security researcher Jakub Kroustek managed to find and analyze one. The new decryptor indeed has ties with REvil. However, the tool only changes the extensions of the files instead of completely decrypting them. It also changes the version to 1.0 while it is actually a continuation from the 2.08 version of REvil’s decryptor. The gang behind this action demands an equivalent of $1.5 million.
A few hours ago, we blocked a #ransomware sample in-the-wild that looks like a new #Sodinokibi / #REvil variant. Timestamp 2022-04-27, new config, new mutex, campaign ID, etc. Funny thing… it does not encrypt files; only adds a random extension 🤔 42 BTC https://t.co/UL1ECGLpmg pic.twitter.com/A8p5SLjcZr
— Jakub Kroustek (@JakubKroustek) April 29, 2022
Currently, the reason for not encrypting files is unknown. However, it creates a ransom note identical to REvil’s notes. The researchers of FellowSecruity state that one of the original REvil developers relaunched the ransomware operations. So, we might hear more of REvil, or whatever the new name will be, in the near future.