Security News > 2022 > May > Fresh ransomware samples indicate REvil is back

New ransomware samples analyzed by Secureworks' threat intelligence team are the latest indication that high-profile ransomware operation REvil is once again up and running after months of relative inactivity.

"The identification of multiple samples containing different modifications and the lack of an official new version indicate that REvil is under active development."

REvil emerged in 2019 and quickly rose to become among the most notorious ransomware operations, being one of the earliest to use multiple extortion techniques beyond encrypting a victim's files - including stealing the data and threatening to publish it - to incentivize the targeted organization to pay the ransom.

The REvil TOR infrastructure began running again, though it redirected people to a new ransomware operation that include data stolen both from new victims and from previous attacks before the operations were shut down.

In late April, Avast researcher Jakub Kroustek tweeted that he had detected the new operation's encryptor that looked like a variant of REvil that was timestamped April 27, and included a new configuration and campaign ID. He also noted that it didn't encrypt files, but instead only added a random extension.

"The October 2021 REvil sample removed code that verified the ransomware was not executing on a system that resided within a prohibited region," the CTU researchers wrote.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/05/11/revil-returns-secureworks-samples/