REvil, a ransomware gang that proved to be a nightmare to hundreds of organizations, has not disappeared. Probably, no one even expected it to. Now, new evidence points to its resurfacing.
When a ransomware group goes silent, it doesn't mean that hackers decided to ditch black hats and get an office job. They may be laying low because of an increased spotlight, rebranding, and reorganizing to throw researchers and law enforcement off track.
For quite some time, it seemed that walls were closing in on the notorious REvil ransomware gang, known for extortion attacks against meat supplier JBS and software company Kaseya, amidst increased pressure from the US and the international community.
In January, the Russian domestic intelligence service, the FSB, detained 14 people and seized 426 million roubles, $600,000, 500,000 euros, computer equipment, 20 luxury cars, and other assets. At the time, many speculated this might be the final nail in REvil's coffin.
REvil operators have been quiet for a couple of months, but security analysts manage to find proof that the ransomware gang with hundreds of companies on its victims' list has reemerged.
This April, the Gold Southfield threat group's infrastructure resumed activity after roughly a half year of silence. The Gold Southfield operates REvil (aka Sodinokibi) ransomware on behalf of various affiliated threat groups.
Researchers from the cybersecurity company Secureworks took a closer look at the REvil ransomware samples uploaded to the VirusTotal analysis service.
"Analysis of these samples indicates that the developer has access to REvil's source code, reinforcing the likelihood that the threat group has reemerged. The identification of multiple samples containing different modifications and the lack of an official new version indicate that REvil is under active development," Secureworks Counter Threat Unit said in its detailed report.
Their evidence adds more confidence to the rumors that REvil is back. In April, security researchers started noticing suspicious activity that could be associated with REvil's operation. The suspicion surrounding Revil’s return only grew stronger when its leak and ransom payment sites, hosted on Tor, were reactivated.
Despite mounting evidence, security researchers are not yet convinced that REvil is back.
"It is currently unclear whether the restart of the infrastructure associated with REvil represents a genuine return to activity for the group, a scam, or a potential honeypot operation by law enforcement," Chris Morgan, senior analyst at cybersecurity firm Digital Shadows, said soon after REvil's blog site was reactivated.
Pointing to the lack of sufficient evidence, Morgan said it remained unclear for the foreseeable future whether this is, in fact, the original REvil, or simply another group operating under their name.
As a matter of fact, REvil's arrests in January were made at the request of the United States, a rare case of bilateral cooperation between the two countries even before the Russian invasion of Ukraine. Since then, the international relations between Russia and the US have deteriorated, and cybercriminal gangs enjoying a safe haven in Russia might roam unpunished as long as their targets align with Kremlin's geopolitical interests.
"There's evidence that they [Russians] are knocking on the door, looking around. It's almost as if they are gearing up to launch an attack. If you can think of sanctions that have been applied from the West towards Russia, at some point, they are going to have a retaliation," Den Jones, a former executive at Cisco and Adobe and current CSO at Banyan Security, recently told Cybernews.
More from Cybernews:
Subscribe to our newsletter