New malware sample confirms gang is back

The notorious REvil ransomware procedure has returned amidst climbing tensions in between Russia and the United states, with new infrastructure and a modified encryptor making it possible for for much more qualified attacks.

In Oct, the REvil ransomware gang shut down after a law enforcement procedure hijacked their Tor servers, adopted by arrests of customers by Russian regulation enforcement.

However, soon after the invasion of Ukraine, Russia mentioned that the US experienced withdrawn from the negotiation method regarding the REvil gang and shut communications channels.

REvil’s Tor web pages appear back to lifetime

Quickly immediately after, the outdated REvil Tor infrastructure began functioning yet again, but rather of displaying the old web sites, they redirected people to URLs for a new unnamed ransomware operation.

While these web sites seemed practically nothing like REvil’s past websites, the actuality that the old infrastructure was redirecting to the new web pages indicated that REvil was likely operating all over again. Additionally, these new websites contained a combine of new victims and facts stolen throughout prior REvil attacks.

Even though these situations strongly indicated that REvil rebranded as the new unnamed operation, the Tor web sites had also formerly shown a information in November stating that “REvil is poor.” 

This access to the Tor websites meant that other threat actors or regulation enforcement experienced entry to REvil’s TOR web pages, so the sites by themselves were not powerful plenty of proof of the gang’s return.

The only way to know for sure whether or not REvil was back again was to uncover a sample of the ransomware encryptor and assess it to decide if it was patched or compiled from supply code.

A sample of the new ransomware operation’s encryptor was eventually found out this week by AVAST research Jakub Kroustek and has confirmed the new operation’s ties to REvil.

Ransomware sample confirms return

Even though a number of ransomware functions are making use of REvil’s encryptor, they all use patched executables alternatively than getting immediate accessibility to the gang’s supply code.

Nevertheless, BleepingComputer has been informed by several stability scientists and malware analysts that the identified REvil sample used by the new operation is compiled from resource code and features new variations.

Safety researcher R3MRUM has tweeted that the REvil sample has had its model number transformed to 1. but is a continuation of the past model, 2.08, introduced by REvil right before they shut down.

In discussion with BleepingComputer, the researcher mentioned he could not describe why the encryptor would not encrypt information but believes it was compiled from supply code.

“Indeed, my assessment is that the menace actor has the source code. Not patched like “LV Ransomware” did,” R3MRUM advised BleepingComputer.

Innovative Intel CEO Vitali Kremez also reverse-engineered the REvil sample this weekend and has verified to BleepingComputer that it was compiled from resource code on April 26th and was not patched.

Kremez told BleepingComputer that the new REvil sample includes a new configuration field, ‘accs,’ which has credentials for the particular victim that the attack is concentrating on.

Kremez thinks that the ‘accs’ configuration choice is used to stop encryption on other products that do not consist of the specified accounts and Home windows domains, letting for really specific assaults.

In addition to the ‘accs’ solution, the new REvil sample’s configuration has modified SUB and PID alternatives, made use of as marketing campaign and affiliate identifiers, to use longer GUID-type values, such as ‘3c852cc8-b7f1-436e-ba3b-c53b7fc6c0e4.’

BleepingComputer also examined the ransomware sample, and even though it did not encrypt, it did develop the ransom note, which is identical to REvil’s old ransom notes.

On top of that, even though there are some variances between the outdated REvil websites and the rebranded procedure, after a victim logs into the web-site, it is virtually similar to the originals, and the menace actors assert to be ‘Sodinokibi,’ as revealed under.

While the authentic community-going through REvil representative acknowledged as ‘Unknown’ is however missing, threat intelligence researcher FellowSecurity informed BleepingComputer that one of REvil’s unique main builders, who was part of the outdated team, relaunched the ransomware procedure.

As this was a main developer, it would make feeling that they also experienced access to the entire REvil source code and possibly the Tor non-public keys for the previous websites.

It really is not astonishing that REvil has rebranded beneath the new operation, specifically with the declining relations concerning Usa and Russia.

However, when ransomware functions rebrand, they normally do it to evade regulation enforcement or sanctions avoiding the payment of ransoms.

Thus, it is strange for REvil to be so public about their return, instead than trying to evade detection like we have witnessed in so lots of other ransomware rebrands.