New malware sample confirms gang is back

The infamous REvil ransomware procedure has returned amidst growing tensions in between Russia and the United states of america, with new infrastructure and a modified encryptor making it possible for for a lot more focused assaults.

In October, the REvil ransomware gang shut down after a legislation enforcement operation hijacked their Tor servers, adopted by arrests of associates by Russian regulation enforcement.

Even so, right after the invasion of Ukraine, Russia stated that the US had withdrawn from the negotiation procedure with regards to the REvil gang and closed communications channels.

REvil’s Tor web sites come again to life

Quickly soon after, the old REvil Tor infrastructure began functioning once again, but alternatively of displaying the previous sites, they redirected visitors to URLs for a new unnamed ransomware procedure.

Whilst these web sites looked very little like REvil’s preceding internet sites, the point that the old infrastructure was redirecting to the new web pages indicated that REvil was very likely running once more. On top of that, these new internet sites contained a combine of new victims and knowledge stolen throughout earlier REvil attacks.

When these activities strongly indicated that REvil rebranded as the new unnamed procedure, the Tor web sites experienced also previously shown a message in November stating that “REvil is poor.” 

This entry to the Tor web sites intended that other threat actors or regulation enforcement had obtain to REvil’s TOR web-sites, so the internet sites them selves have been not sturdy sufficient proof of the gang’s return.

The only way to know for confident regardless of whether REvil was back was to obtain a sample of the ransomware encryptor and assess it to identify if it was patched or compiled from resource code.

A sample of the new ransomware operation’s encryptor was lastly found out this 7 days by AVAST research Jakub Kroustek and has confirmed the new operation’s ties to REvil.

Ransomware sample confirms return

Even though a several ransomware operations are applying REvil’s encryptor, they all use patched executables alternatively than obtaining immediate obtain to the gang’s source code.

Even so, BleepingComputer has been advised by a number of security researchers and malware analysts that the found REvil sample made use of by the new operation is compiled from source code and involves new adjustments.

Protection researcher R3MRUM has tweeted that the REvil sample has had its edition quantity transformed to 1. but is a continuation of the final model, 2.08, produced by REvil prior to they shut down.

In discussion with BleepingComputer, the researcher said he could not demonstrate why the encryptor isn’t going to encrypt files but thinks it was compiled from source code.

“Of course, my assessment is that the threat actor has the supply code. Not patched like “LV Ransomware” did,” R3MRUM explained to BleepingComputer.

Innovative Intel CEO Vitali Kremez also reverse-engineered the REvil sample this weekend and has confirmed to BleepingComputer that it was compiled from source code on April 26th and was not patched.

Kremez told BleepingComputer that the new REvil sample involves a new configuration area, ‘accs,’ which consists of credentials for the particular target that the assault is focusing on.

Kremez believes that the ‘accs’ configuration selection is used to avoid encryption on other devices that do not contain the specified accounts and Home windows domains, allowing for very focused assaults.

In addition to the ‘accs’ solution, the new REvil sample’s configuration has modified SUB and PID options, utilised as marketing campaign and affiliate identifiers, to use more time GUID-form values, such as ‘3c852cc8-b7f1-436e-ba3b-c53b7fc6c0e4.’

BleepingComputer also tested the ransomware sample, and when it did not encrypt, it did produce the ransom note, which is equivalent to REvil’s previous ransom notes.

Additionally, while there are some distinctions among the outdated REvil sites and the rebranded procedure, once a victim logs into the web page, it is pretty much similar to the originals, and the danger actors claim to be ‘Sodinokibi,’ as demonstrated down below.

Though the unique community-going through REvil representative recognised as ‘Unknown’ is nonetheless missing, threat intelligence researcher FellowSecurity informed BleepingComputer that 1 of REvil’s authentic main developers, who was element of the previous staff, relaunched the ransomware procedure.

As this was a core developer, it would make sense that they also had obtain to the finish REvil resource code and potentially the Tor private keys for the aged web pages.

It can be not stunning that REvil has rebranded below the new operation, especially with the declining relations amongst Usa and Russia.

However, when ransomware functions rebrand, they normally do it to evade legislation enforcement or sanctions protecting against the payment of ransoms.

Consequently, it is strange for REvil to be so community about their return, relatively than attempting to evade detection like we have viewed in so a lot of other ransomware rebrands.