The mystery behind the samples of the new REvil ransomware operation

The REvil ransomware gang has resumed its operations, experts found a new encryptor and a new attack infrastructure.

The REvil ransomware operation shut down in October 2021, in January the Russian Federal Security Service (FSB) announced to have shut down the REvil ransomware gang, the group that is behind a long string of attacks against large organizations, such as Kaseya and JBS USA. The FSB claims to have identified all members of the REvil gang and monitored their operations. The police operation was conducted by Russian authorities following a request by the United States that shared info about members of the gang.

The Russian police arrested 14 alleged members of the ransomware gang and raided 25 addresses seizing computer equipment and cryptocurrency wallets. The raids took place in Moscow, St. Petersburg, Leningrad, and Lipetsk regions.

The beginning of the invasion of Ukraine by Russia and the tensions with the NATO alliance supporting Kyiv has brought about some disturbing changes in the threat landscape.

A few weeks later, the REvil Tor infrastructure was up again, but it was redirecting visitors to a new leak site showing a list of new compromised organizations along with past victims of the ransomware gang.

The Tor site was also defaced by threat actors and some experts speculate it was temporarily operated by feds as part of a crime investigation.

Last week, the malware researcher Jakub Kroustek from AVAST, discovered a sample of a new REvil encryptor. The expert noticed that the sample does not encrypt files, it only adds a random extension to the victim’s files.

According to BleepingComputer, multiple malware researchers discovered new REvil samples that have been compiled from the original source code, but that implements new changes.

Tweets by WhichbufferArda

BleepingComputer correctly pointed out that the public return of REvil operation is suspicious.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, REvil ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.