The once defunct REvil ransomware is indeed back on the scene as researchers throw light on new developments. It has been found that the threat actors have resumed their operations, hinting at the evolution of newer versions of the ransomware that are likely to be seen in the future.

What’s the update?

During an analysis of infrastructural activity, researchers from Secureworks found that GOLD SOUTHFIELD, the operators behind  REvil, resumed its activity in April. The gang had suffered a major setback in October 2021 after federal agencies took down its infrastructure.
  • Moreover, analysis of the samples revealed that the operators have access to the original source code and are using it to build powerful versions of the ransomware. 
  • The latest version of the malware, tracked as 2.08, includes modifications in keys used for the encryption process, configuration storage location, affiliate tracking format, and domain used for dropping ransom notes.  

Previously detected indicators 

In the first week of May, it was found that the Tor site used by the REvil ransomware group had reemerged on the dark web.
  • However, the interesting aspect of the site was that it redirected visitors to URLs for new unnamed ransomware operations, instead of showing the old websites. 
  • Furthermore, these new sites contained a mix of new victims and data stolen during previous REvil attacks.

The bottom line

It won’t be a surprise if REvil resumes attacks by rebranding itself. It is a typical process used by threat actors to evade law enforcement or sanctions preventing the payment of ransom. Therefore, organizations must stay ahead of such threats and bolster their defense systems to thwart future ransomware attacks.
Cyware Publisher