Security News > 2022 > May > New REvil Samples Indicate Ransomware Gang is Back After Months of Inactivity

The notorious ransomware operation known as REvil has resumed after six months of inactivity, an analysis of new ransomware samples has revealed.

"Analysis of these samples indicates that the developer has access to REvil's source code, reinforcing the likelihood that the threat group has reemerged," researchers from Secureworks Counter Threat Unit said in a report published Monday.

"The identification of multiple samples with varying modifications in such a short period of time and the lack of an official new version indicates that REvil is under heavy active development once again."

REvil, short for Ransomware Evil, is a ransomware-as-a-service scheme and attributed to a Russia-based/speaking group known as Gold Southfield, arising just as GandCrab activity declined and the latter announced their retirement.

The apparent resurgence comes as REvil's data leak site in the TOR network began redirecting to a new host on April 20, with cybersecurity firm Avast disclosing a week later that it had blocked a ransomware sample in the wild "That looks like a new Sodinokibi / REvil variant."

On top of that, the new samples dissected by the cybersecurity firm - which carry a timestamp of March 11, 2022 - incorporate notable changes to the source code that set it apart from another REvil artifact dated October 2021.

News URL

https://thehackernews.com/2022/05/new-revil-samples-indicate-ransomware.html