Researchers warn of REvil return after January arrests in Russia
Image: The Record
Jonathan Greig May 16, 2022

Researchers warn of REvil return after January arrests in Russia

Researchers warn of REvil return after January arrests in Russia

The notorious REvil ransomware group has made yet another reemergence on the cybercrime scene, according to several security researchers tracking attacks. 

The group shut down operations for the second time in October after claiming in a message posted on an underground hacking forum that they lost control over their TOR-based domains. Law enforcement officials from multiple countries eventually revealed that they were involved in disrupting the ransomware gang’s operation. 

In January, Russian officials with the Federal Security Service conducted 25 raids on homes owned by 14 members suspected to be part of the REvil team across Moscow, St. Petersburg, Leningrad, and the Lipetsk regions.  

Eight people allegedly involved in the ransomware gang were later hit with charges by a court in Moscow. 

But three weeks ago, researchers discovered that REvil ransomware’s servers in the TOR network were back up and running. The group’s blog also returned. 

Digital Shadows senior cyber threat intelligence analyst Chris Morgan tied the group’s return to a dispute between officials in Russia and the U.S., who officially closed off a channel of communication dedicated to cybersecurity issues following the Russian invasion of Ukraine. 

“The potential return of REvil coincides with the closure of dialogue channels for discussing cybersecurity issues between the United States and Russia. As a result, it is realistically possible that Russian authorities have dropped their investigation into the group or otherwise indicated to REvil’s operators that they could restart their operations, following the arrest of several members in January 2022,” Morgan told The Record. 

“Precisely who is coordinating REvil’s return is unclear; the revival may have been facilitated through one of REvils former members or otherwise someone who had access to the source code and infrastructure previously used by the group.”

Morgan added that analysis of the source code used by REvil in recent attacks indicated that changes had taken place, which may indicate development had occurred since the group went underground in January 2022. 

However, the sample Morgan analyzed was not found to be encrypting files and was adding a random extension. This could be explained either as an operational error or someone attempting to masquerade as the group and mimicking real attacks, Morgan explained. 

Since the group’s return, several researchers have spotted REvil attacks and dealt with victims of the ransomware. 

Recorded Future ransomware expert Allan Liska told The Record that there have been several REvil attacks. On top of the victims posted to their website, Liska said several of his sources working on incident response teams have reported REvil attacks or attempted intrusions. 

“Most people don’t think the original operators behind REvil were among those arrested in the first place,” Liska noted. 

“From what I have seen, which is admittedly very limited, these new attacks do not seem as skilled as previous REvil attacks.” 

Liska theorized that it is unclear whether the original developers are behind the group’s return, explaining that the return may involve former affiliates taking over REvil’s code or rusty REvil operators conducting operations after a lengthy amount of time away from operation. 

“But, I think it is too early to make a definitive statement one way or the other,” Liska said. 

Other experts, like Emsisoft Threat Analyst Brett Callow, said they believe one or more core individuals associated with the REvil operation are again active.

Callow pointed to several victims that have been added to the group’s leak site and even noted that he has seen some affected organizations eventually removed from REvil’s site, indicating some organizations are already paying ransoms again. 

Morgan said there has been a lack of clarification from the group on whether they are indeed back to business or if this is a part of a new operation. 

The lack of clarity will likely leave other members of the cybercriminal community to be highly suspicious of the new REvil operation, due to the association with law enforcement compromise, he explained. 

“This was reflected by initial commentary from the cybercriminal community, who have expressed that they would be distrustful even if the return were coordinated by the original members of REvil’s operation,” Morgan said.  

“Only time will clarify whether REvil has indeed returned or whether the group’s current operation represents an imposter looking to ride the coattails of the group’s reputation.”

The Secureworks Counter Threat Unit team released a detailed breakdown of a new REvil sample on Monday, writing in a report that whoever is behind the group’s return had access to original source code and is actively developing the ransomware. 

The new version has several notable features, according to Secureworks, including changes to its string decryption logic and the embedded credentials that link the sample to a victim published to the REvil leak site in April.

“Whoever is now operating REvil has access to the ransomware source code and parts of the old infrastructure used in support of it. It is possible that some or all of GOLD SOUTHFIELD members were released by the Russian authorities and that they have now returned to operations,” the Secureworks Counter Threat Unit team told The Record. 

“It is equally plausible that not all members were arrested in the first place and have restarted the operation, with or without new members. Or a trusted affiliate of GOLD SOUTHFIELD has taken over the operation with the blessing of the group. In fact, this is how the group started out themselves; the operators of Gandcrab, GOLD GARDEN, retired and sold their operation to an affiliate group we now call GOLD SOUTHFIELD.”

They noted that as additional samples are analyzed and modifications are compared, they may be able to figure out who the developer is based on changes made and coding style.

So far, the Secureworks Counter Threat Unit said it is aware of six total victims, with four being posted to the REvil leak site and two additional victims being identified via sample configurations extracted by CTU researchers.

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.