Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Ransomware Gang REvil is Back in Town: Batten Down the Hatches!

May 5, 2022

BleepingComputer reported on May 1 that ransomware gang REvil is back in town, reappearing amid the escalations of tension between Russian and the U.S. – and it returns with new infrastructure and a modified encryptor that enables more targeted attacks.

You may recall that, in October, the REvil ransomware gang shut down after a law enforcement operation hijacked their Tor servers. This was followed by arrests of members by Russian law enforcement assisted by information given to Russia by the U.S.

After the invasion of Ukraine, Russia stated that the US had withdrawn from the negotiation process regarding the REvil gang and closed communications channels.

Soon after that, the old REvil Tor infrastructure began operating again, but instead of showing the old websites, they redirected visitors to URLs for a new unnamed ransomware operation.

While these sites didn’t look like REvil’s previous websites, the fact that the old infrastructure was redirecting to the new sites was taken as evidence that REvil was operating again. Further, these new sites contained both new victims and data stolen during previous REvil attacks. Although strong evidence of REvil’s revival, the only way to know for certain whether REvil was back was to find a sample of the ransomware encryptor and analyze it to determine if it was patched or compiled from source code.

A sample of the new ransomware operation’s encryptor was finally discovered by AVAST researcher Jakub Kroustek who confirmed the new operation’s ties to REvil.

While several ransomware operations are using REvil’s encryptor, they all use patched executables rather than having direct access to the gang’s source code.

BleepingComputer was told by multiple security researchers and malware analysts that the discovered REvil sample used by the new operation is compiled from source code and includes new changes. Also, the ransom note created is identical to REvil’s old ransom note.

While there are some differences between the old REvil sites and the rebranded operation, once a victim logs into the site, it is almost identical to the originals.

It is unusual for REvil to be so public about its return, rather than trying to escape detection as we have seen with so many other ransomware rebrands.

Exactly how this reemergence is connected to the tensions between U.S. and Russia is a matter of speculation. But I am pretty sure it does not bode well for the future. “Shields Up!” should definitely be our mantra.

Sharon D. Nelson, Esq., PresidentSensei Enterprises, Inc.
3975 University Drive, Suite 225Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology