New malware samples show possible REvil ransomware gang return

REvil ransomware attacks appear to be happening again, but it is unclear who operates the malware now

Newly discovered malware samples and operational Tor website show that Revil gang has started new attacks

REvil ransomware made the world turn with the major cryptovirus attacks in the previous years. Until the previous shut down when law enforcement managed to arrest members of the gang.^[1] It seems that the notorious threat actors came back with the attacks with the new infrastructure and altered encryptor, allowing the gang to launch more targeted attacks.^[2]

The law enforcement agents hijacked the ransomware operations via their Tor servers, and Russian law agents arrested the members of the threat spreading group back in October.^[3] The Tor site seems to be brought back to life, and these operations and attacks can possibly be revived.

The site came back, but instead of showing the old version of the known website, it redirects visitors to URLs for a new ransomware operation that is not named. The site does not look identical to previous REvil ransomware gang websites, but the old infrastructure redirects to the new site, so the operations got renewed by the same gang, most likely.

The new site contains data stolen in REvil attacks

It is not sure if the ransomware is the same REvil or the new malware launched and operating under that same infrastructure. The website contains various information like data related to new victims and information stolen during the older REvil ransomware^[4] attacks.

These facts and similarities show strong signs of rebranding, but the operation is coming from the same gang. Tor sites previously displayed the message stating that REvil is bad, back in November. The newly accessible site shows that either law enforcement or other threat actors obtained the system and the TOR site. It is not guaranteed proof that the REvil gang is fully returned, however.

The best way to know that for sure would be the REvil ransomware sample analysis and encryption example. It could show if the encryptor was patched or newly created from a source code of different ransomware. That has been done, according to the researchers^[5] and results show strong signs that these operations are related to the old REvil ransomware gang.

Usage of patched executables shows strong ties with the REvil ransomware gang

The analyzed sample of the ransomware is not providing direct access to the newly operational gang or their source code. The particular operations use the REvil encryptor with patched executables. However, many researchers confirm that the source code contains various changes and is improved. It contains some links to the latest REvil ransomware version that was released right before the shutdown.

The encryptor is not fully encrypting the data, and it is unclear why, but the sample was confirmed to be created from the source code, not like the previous copies released after the REvil operations stopped. It was created with the function to input the particular credentials of the target, so these attacks can target people and companies directly.

It can also be used to prevent encryption on other devices that do not have particular accounts and Windows domains. Eeven though some of the sample tests show that REvil ransomware is not encoding data, the ransom notes created during attacks are identical to the ones known from the previous years.

The reborn might be related to the declining relations between USA and Russia, so ransomware can rebrand and continue with operations.^[6] This could also help ransomware to evade detection and sanctions or law enforcement involvement.