REvil ransomware has returned with new infrastructure and an updated malware sample with a modified encryptor for more targeted attacks. REvil’s Tor server activities were discovered a few weeks ago.
The return of REvil
Recently, multiple malware analysts and researchers claimed to have found a REvil sample in a recent operation. The below-discussed sample is compiled from the original source code with new changes, indicating direct access to the source code.
- A security researcher tweeted that the sample has changed its version number to 1.0. However, it is a continuation of the last version, 2.08, released by REvil before being shut down.
- Additionally, the CEO of Advanced Intel has reverse-engineered the sample and claimed that it was compiled from the source code on April 26 and was not patched.
- While the public-facing REvil representative known as 'Unknown' is still missing, researchers claim that one of REvil's original core developers relaunched the operation.
New sample with new enhancements
The recent REvil sample has several new additions and code enhancements.
- It has a new configuration field, 'accs,' which includes a set of credentials for specific targets.
- This method is used to stop encryption on other devices that do not include certain accounts and Windows domains, thus, making it suitable for highly targeted attacks.
- The new sample's configuration has modified PID and SUB options, used as affiliate identifiers, to use longer GUID-type values (e.g. 3c852cc8-b7f1-436e-ba3b-c53b7fc6c0e4).
- Additionally, it produces a ransom note, which is very much similar to REvil’s old ransom notes.
Conclusion
It has already become a trend among ransomware groups to rebrand to evade law enforcement seizure or sanctions. In such a scenario, it is unexpected to see REvil return, instead of trying to evade detection. This may be some new trick to confuse security professionals. However, it is always recommended keep security shields charged up to fend off such threats.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/8ba9_shutterstock_1869008527.jpeg)
/https://cyware-ent.s3.amazonaws.com/image_bank/498c_shutterstock_1484946854.jpg)
