Fresh ransomware samples indicate REvil is back

Secureworks' investigation only the latest evidence Kaseya and JBS attackers are on the move again

New ransomware samples analyzed by Secureworks' threat intelligence team are the latest indication that high-profile ransomware operation REvil is once again up and running after months of relative inactivity.

Secureworks' Counter Threat Unit (CTU) investigated samples that were uploaded to the VirusTotal analysis service and found some showing that the developer of the code has access to REvil's source code, "reinforcing the likelihood that the threat group has reemerged," the researchers wrote in a blog post this week.

"The identification of multiple samples containing different modifications and the lack of an official new version indicate that REvil is under active development."

They took a sample from March 22 that showed a likely link to code published in April to a new leak site related to the REvil operation and compared it with a sample identified by CTU in October 2021. There were some modifications in the new sample but it also includes functionality found in the older sample.

Secureworks' analysis is only the latest indication that the ransomware-as-a-service (RaaS) gang behind REvil – identified by the cybersecurity vendor as Russia-linked Gold Southfield – is back in operation after law-enforcement actions forced it to shut down in October 2021.  

REvil emerged in 2019 and quickly rose to become among the most notorious ransomware operations, being one of the earliest to use multiple extortion techniques beyond encrypting a victim's files – including stealing the data and threatening to publish it – to incentivize the targeted organization to pay the ransom.

The group also was behind the high-profile 2021 attacks on IT management software maker Kaseya and global meat processor JBS Foods. Kaseya refused to pay the ransom but JBS reportedly paid $11 million to make their operations whole again.

Such attacks put REvil and its affiliates in the crosshairs of US law enforcement agencies and led to the arrest of seven affiliate members in Europe and elsewhere. In October 2021, a multi-country law enforcement operation seized control of REvil's TOR server infrastructure, forcing the group to shut down.

Post 2021 takedown activity

However, within a few months, evidence began to mount that REvil operators were getting the band back together. The REvil TOR infrastructure began running again, though it redirected people to a new ransomware operation that include data stolen both from new victims and from previous attacks before the operations were shut down.

In April 2022, more evidence emerged when security researchers said on Twitter they found the latest REvil leak site being promoted on RuTOR, a Russian-language forum and marketplace. At the time, there were skeptics among cybersecurity experts that said more evidence was needed to convince them that REvil had returned.

In late April, Avast researcher Jakub Kroustek tweeted that he had detected the new operation's encryptor that looked like a variant of REvil (also known as Sodinokibi) that was timestamped April 27, and included a new configuration and campaign ID.

He also noted that it didn't encrypt files, but instead only added a random extension. However, the Secureworks researchers attributed this to a programming error, saying modifications by the malware author included a bug within a test that determines if the file rename operation was successful.

In the samples analyzed by Secureworks' CTU, changes in the source code included updates to the string decryption logic to make it rely on a new command-line argument, updates to hard-coded public keys and changes to the configuration storage location and affiliate tracking data format.

The new malware also removes the prohibited region check.

"The October 2021 REvil sample removed code that verified the ransomware was not executing on a system that resided within a prohibited region," the CTU researchers wrote. "This removal enabled REvil to execute on any system regardless of its location."

In addition, the ransom note to one of the latest victims referenced the same TOR domains that became active in late April.

The probable return of REvil coincides with Russia's unprovoked invasion of neighboring Ukraine.

The US and Russia were negotiating a joint operation agreement to help protect critical infrastructure from cybersecurity attacks, an important development given Russia's harboring of – and close ties with some – cybercriminal gangs within its borders.

In early January, more than a dozen REvil members were arrested by Russian law-enforcement agencies.

However, the US backed out of the negotiations in the wake of the invasion. ®

Narrower topics

Other stories you might like

  • Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks
    Now those are some phishing boats

    Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.

    A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

    It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

    Continue reading
  • Nothing says 2022 quite like this remote-controlled machine gun drone
    GNOM is small, but packs a mighty 7.62mm punch

    The latest drone headed to Ukraine's front lines isn't getting there by air. This one powers over rough terrain, armed with a 7.62mm tank machine gun.

    The GNOM (pronounced gnome), designed and built by a company called Temerland, based in Zaporizhzhia, won't be going far either. Next week it's scheduled to begin combat trials in its home city, which sits in southeastern Ukraine and has faced periods of rocket attacks and more since the beginning of the war.

    Measuring just under two feet in length, a couple inches less in width (57cm L х 60cm W x 38cm H), and weighing around 110lbs (50kg), GNOM is small like its namesake. It's also designed to operate quietly, with an all-electric motor that drives its 4x4 wheels. This particular model forgoes stealth in favor of a machine gun, but Temerland said it's quiet enough to "conduct covert surveillance using a circular survey camera on a telescopic mast."

    Continue reading
  • $6b mega contract electronics vendor Sanmina jumps into zero trust
    Company was an early adopter of Google Cloud, which led to a search for a new security architecture

    Matt Ramberg is the vice president of information security at Sanmina, a sprawling electronics manufacturer with close to 60 facilities in 20 countries on six continents and some 35,000 employees spread across the world.

    Like most enterprises, Sanmina, a big name in contract manufacturing, is also adapting to a new IT environment. The 42-year-old Fortune 500 company, with fiscal year 2021 revenue of more than $6.76 billion, was an early and enthusiastic adopter of the cloud, taking its first step into Google Cloud in 2009.

    With manufacturing sites around the globe, it also is seeing its technology demands stretch out to the edge.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading

Biting the hand that feeds IT © 1998–2022