REvil ransomware group is back with a vengeance

Representational image of a cybercriminal
(Image credit: Pixabay)

The REvil ransomware group is back in operation with new infrastructure and a modified encryptor after supposedly being shut down last year.

Back in October of 2021, the notorious ransomware gang was shut down after a law enforcement operation hijacked its Tor servers. This was then followed by several of its key members being arrested by Russia’s FSB.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. end of this survey

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

As Russia’s invasion of Ukraine soured relations between it and the US, the US government went ahead and unilaterally shut down the communication channel it had on cybersecurity with Moscow. As a result, the US has also withdrawn itself from the negotiation process regarding REvil.

While it seemed for a bit there that REvil had closed shop for good, the group’s old Tor infrastructure recently began operating again. However, instead of showing old websites, its Tor servers redirected visitors to URLs for a new unnamed ransomware operation according to a report from BleepingComputer.

A new REvil encryptor

Websites are redirected all the time which is why finding a new sample of REvil’s ransomware encryptor and analyzing it is the only way to tell whether or not the cybercriminal group has really returned.

Fortunately, malware research director at Avast, Jakub Kroustek recently found a sample of the encryptor used by the new ransomware group that may or may not be REvil. It’s worth noting that other ransomware operations have used REvil’s encryptor in the past but they all used patched executables as opposed to having direct access to the group’s source code.

Multiple security researchers and malware analysts that spoke with BleepingComputer have confirmed that this new sample is compiled from REvil’s source code though it does include some new changes. In a post on Twitter, security researcher R3MRUM said that although the sample’s version number is 1.0, it is actually a continuation of REvil’s last encryptor version (2.08) which was released before the group was shut down.

Advanced Intel CEO Vitali Kremez was also able to reverse engineer the sample in question and he confirmed to BleepingComputer that it was compiled from source code on April 26 and not patched.

Although REvil’s original public-facing representative known as “Unknown” remains missing, threat intelligence researcher FellowSecurity told the news outlet that one of the ransomware group’s original core developers had relaunched the operation under a new name.

At this time, we still don’t know what this rebranded version of the REvil ransomware group refers to itself as but now that REvil is back, expect to see more high-profile attacks on important and valuable targets worldwide.

Via BleepingComputer

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
ransomware avast
“Every organization is vulnerable” - ransomware dominates security threats in 2024, so how can your business stay safe?
A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."
More reports claim 2024 was the worst year for ransomware attacks yet
Hands typing on a keyboard surrounded by security icons
35 years on: The history and evolution of ransomware
A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."
Less than half of ransomware incidents end in payment - but you should still be on your guard
Russia
Major Russian hacking group shifts focus to US and UK targets
Cl0p ransomware group says it was behind Cleo attacks
Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 16 (game #1147)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Sunday, March 16 (game #378)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Sunday, March 16 (game #644)
Three iPhone 16 handsets on show
Apple could launch an iPhone 17 Ultra this year – but we've heard these rumors before
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough