An study of fresh ransomware samples indicated that the renowned ransomware operation known as REvil (aka Sodin or Sodinokibi) had returned after six months of quiet.
Researchers from Secureworks’ Counter Threat Unit (CTU) claimed in a study released Monday that “analysis of these samples reveals that the developer has access to REvil’s source code, bolstering the assumption that the threat organization has resurfaced.”
“The discovery of many samples with varied alterations in such a short period of time, as well as the lack of an official new version, suggests that REvil is once again in active development.”
REvil, short for Ransomware Evil, is a ransomware-as-a-service (RaaS) scheme linked to Gold Southfield, a Russia-based/speaking organization that emerged shortly after GandCrab’s activity dwindled and the latter declared their retirement.
It’s also one of the first to exploit the double extortion strategy, in which stolen data from breaches is used to gain more pressure and force victims to pay up.
The ransomware organization, which has been active since 2019, gained headlines last year for high-profile assaults on JBS and Kaseya, causing the gang to formally close business in October 2021 after its server infrastructure was stolen by government authorities.
Earlier this month, the Russian Federal Security Service (FSB) detained many members of the cybercrime ring following searches at 25 various sites around the nation.
REvil’s data leak site on the TOR network began redirecting to a new server on April 20, and cybersecurity firm Avast said a week later that it had stopped a ransomware sample “that seems like a new Sodinokibi / REvil variant” in the wild.
While the sample in question was discovered to not encrypt files and instead append a random extension, Secureworks attributed the problem to a technical fault in the feature that renames encrypted files.
Furthermore, the latest samples analyzed by the cybersecurity company — which have a March 11, 2022 timestamp — have substantial alterations to the source code that distinguish them from another REvil artefact from October 2021.
Its string decryption mechanism, configuration storage location, and hard-coded public keys have all been updated. The Tor domains featured in the ransom message have also been updated, citing the identical sites that went live last month –
- REvil leak site: blogxxu75w63ujqarv476otld7cyjkq4yoswzt4ijadkjwvg3vrvd5yd[.]
- Site for paying the ransom: landxxeaf2hoyl2jvcwuazypt6imcsbmhb7kx3x33yhparvtmkatpaad[.]
REvil’s resurgence is likely linked to Russia’s ongoing invasion of Ukraine, which prompted the US to withdraw from a promised collaborative collaboration between the two countries to protect key infrastructure.
The move is another another indicator that ransomware actors breakup only to reassemble and rebrand under a new moniker, picking up right where they left off, emphasizing the difficulties in entirely eradicating cybercriminal organizations.
” This blog offers generic information. By no means, it is professional advice. The information aforementioned is believed to be factually correct. The information provided is solely based on the author’s judgment and is subject to change. This is not endorsed by any 3rd parties or other brands.”
#REvilSamples #Ransomware #CyberCriminal #FederalSecurityService
Article Credits –
thehackernews.com
