Chris Swagler | May 16th, 2022

The infamous ransomware operation, REvil, has reappeared amidst escalating tensions between Russia and the United States, with new infrastructure and a modified encryptor allowing for more targeted attacks. However, the United States withdrew from the REvil group’s negotiation process and closed communications channels after Russia invaded Ukraine.

The old REvil Tor infrastructure started up again, however, instead of displaying the old websites, they’re redirecting visitors to a new unnamed ransomware operation URLs. Even though the websites don’t resemble REvil’s previous websites, the old infrastructure was redirected to the new sites indicating that REvil was operating again. Additionally, the new websites are a combination of new victims and data stolen from previous REvil attacks. Even though the events suggest that REvil has rebranded as the new unnamed operation, the Tor sites had previously shown a message stating the “REvil is bad” in November.

Because other threat actors or law enforcement had access to REvil’s TOR sites due to the access, the websites themselves were not sufficient proof of the group’s reappearance. Finding a sample of the ransomware encryptor and analyzing it to see if it was patched or compiled from source code was the only way to know for sure that REvil is back. Finally, a researcher discovered a sample of the new ransomware operation’s encryptor, confirming the new operation’s ties to REvil.

Even though REvil’s encryptor is used by a few ransomware operations, they all use patched executables rather than having direct access to the group’s source code. However, numerous security researchers and malware analysts discovered the REvil sample being used by the new operation, which is compiled from source code and includes new changes. A security researcher explained that the REvil sample has had its version number 1.0, however, it’s a continuation of the last version, 2.08, released by REvil before they shut down.

The researcher doesn’t know why the encryptor doesn’t encrypt data but believes it was constructed from source code. The researcher believes that the threat actor has the source code and unlike “LV Ransomware”, the source code hasn’t been patched. A cybersecurity company reverse-engineered the REvil sample and confirmed that it was compiled from source code on April 26th and was not patched. The new REvil sample includes a new configuration field, called “accs,” containing credentials for the specific victim that the attack is targeting.

The new REvil sample’s configuration, with the addition to the “accs” option, has modified SUB and PID options, used as campaign and affiliate identifiers, to utilize longer GUID-type values, such as ‘3c852cc8-b7f1-436e-ba3b-c53b7fc6c0e4.’ Even though the ransomware sample didn’t encrypt, it created a ransom note, identical to REvil’s old ransom notes. Additionally, while there are several differences between the old REvil sites and the rebranded operation, it’s almost identical to the originals after the victim logs in to the site, and the threat actors pretend to be “Sodinokibi.”

According to a threat intelligence researcher, even though the original public-facing REvil representative known as “Unknown” is still missing, the ransomware operation was relaunched by one of REvil’s original core developers who was part of the old team. It makes sense that they had access to the complete REvil source code and the Tor private keys for the old sites, given that this was a core developer.

With the declining relations between the United States and Russia, it’s not surprising that REvil has rebranded under a new operation. When ransomware operations rebrand, it’s usually to avoid law enforcement or sanctions that prevent ransom payments. It’s unusual for REvil to go public about their return, rather than attempting to evade detection like so many other ransomware rebrands. With the reemergence of REvil as a new unnamed ransomware operation, it’s more critical for companies to always remain ahead of the current threat landscape and regularly keep offline network data backups.

At SpearTip, we help companies get back up and running in record time following a serious breach when it comes to handling their cyber–Incident Response. Our Security Operations Centers are staffed 24/7/365 with certified engineers bringing decades of combined experience, working in a continuous investigative cycle, ready to respond to events at a moment’s notice. When it comes to protecting companies’ sensitive and valuable data, it’s paramount to know exactly what happened in their environments. Our engineers will join their teams on-scene to investigate the nature of the breach, conduct thorough data analysis, and execute the recovery plan to return companies to their normal operations.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.