Fresh ransomware samples indicate REvil is back

New ransomware samples analyzed by Secureworks' threat intelligence team are the latest indication that high-profile ransomware operation REvil is once again up and running after months of relative inactivity.

Secureworks' Counter Threat Unit (CTU) investigated samples that were uploaded to the VirusTotal analysis service and found some showing that the developer of the code has access to REvil's source code, "reinforcing the likelihood that the threat group has reemerged," the researchers wrote in a blog post this week.

"The identification of multiple samples containing different modifications and the lack of an official new version indicate that REvil is under active development."

They took a sample from March 22 that showed a likely link to code published in April to a new leak site related to the REvil operation and compared it with a sample identified by CTU in October 2021. There were some modifications in the new sample but it also includes functionality found in the older sample.

Secureworks' analysis is only the latest indication that the ransomware-as-a-service (RaaS) gang behind REvil – identified by the cybersecurity vendor as Russia-linked Gold Southfield – is back in operation after law-enforcement actions forced it to shut down in October 2021.  

REvil emerged in 2019 and quickly rose to become among the most notorious ransomware operations, being one of the earliest to use multiple extortion techniques beyond encrypting a victim's files – including stealing the data and threatening to publish it – to incentivize the targeted organization to pay the ransom.

The group also was behind the high-profile 2021 attacks on IT management software maker Kaseya and global meat processor JBS Foods. Kaseya refused to pay the ransom but JBS reportedly paid $11 million to make their operations whole again.

Such attacks put REvil and its affiliates in the crosshairs of US law enforcement agencies and led to the arrest of seven affiliate members in Europe and elsewhere. In October 2021, a multi-country law enforcement operation seized control of REvil's TOR server infrastructure, forcing the group to shut down.

Post 2021 takedown activity

However, within a few months, evidence began to mount that REvil operators were getting the band back together. The REvil TOR infrastructure began running again, though it redirected people to a new ransomware operation that include data stolen both from new victims and from previous attacks before the operations were shut down.

In April 2022, more evidence emerged when security researchers said on Twitter they found the latest REvil leak site being promoted on RuTOR, a Russian-language forum and marketplace. At the time, there were skeptics among cybersecurity experts that said more evidence was needed to convince them that REvil had returned.

In late April, Avast researcher Jakub Kroustek tweeted that he had detected the new operation's encryptor that looked like a variant of REvil (also known as Sodinokibi) that was timestamped April 27, and included a new configuration and campaign ID.

He also noted that it didn't encrypt files, but instead only added a random extension. However, the Secureworks researchers attributed this to a programming error, saying modifications by the malware author included a bug within a test that determines if the file rename operation was successful.

In the samples analyzed by Secureworks' CTU, changes in the source code included updates to the string decryption logic to make it rely on a new command-line argument, updates to hard-coded public keys and changes to the configuration storage location and affiliate tracking data format.

The new malware also removes the prohibited region check.

• Confessions of a ransomware negotiator: Well, somebody's got to talk to the criminals holding data hostage
• Ransomware plows through farm machinery giant AGCO
• FBI: Cyber-scams cost victims $6.9b-plus worldwide in 2021
• When the bits hit the fan: What to do when ransomware strikes

"The October 2021 REvil sample removed code that verified the ransomware was not executing on a system that resided within a prohibited region," the CTU researchers wrote. "This removal enabled REvil to execute on any system regardless of its location."

In addition, the ransom note to one of the latest victims referenced the same TOR domains that became active in late April.

The probable return of REvil coincides with Russia's unprovoked invasion of neighboring Ukraine.

The US and Russia were negotiating a joint operation agreement to help protect critical infrastructure from cybersecurity attacks, an important development given Russia's harboring of – and close ties with some – cybercriminal gangs within its borders.

In early January, more than a dozen REvil members were arrested by Russian law-enforcement agencies.

However, the US backed out of the negotiations in the wake of the invasion. ®