REvil Ransomware Is Making a Comeback

REvil ransomware (also known as Sodin) was discovered in April 2019 and has since been improved to be more difficult to detect. Once infected, it encrypts data and deletes the ransom request message. Upon receiving the message, the victim is informed that a bitcoin ransom must be paid and that, if the ransom is not paid in a timely manner, the demand will double.

REvil is an excellent example of Ransomware as a Service (RAAS), a type of cybercrime where two parties collaborate on a hack: the code writers who create the ransomware and the affiliates who distribute it and collect the payment. Sodinokibi ransomware is particularly damaging for businesses of all sizes because of this characteristic. The ransomware Sodinokibi, also known as Sodin or REvil, quickly rose to become the world’s fourth most widely disseminated malware, mostly affecting businesses in the United States and Europe.

What Happened?

While tensions between Russia and the United States are escalating, the famed REvil ransomware operation has reappeared, this time with new infrastructure and a tweaked encryptor that allows for more targeted attacks.

The Russian government said after the invasion of Ukraine that the United States had withdrawn from the negotiations with the REvil gang and had shut off communications connections with the group.

After a short period of time, the old REvil Tor infrastructure started to function again, but instead of redirecting users to the previous domains, they routed them to URLs for a new nameless ransomware operation instead.

The fact that the old infrastructure was referring to the new sites showed that REvil was most likely running again, even if the new websites looked nothing like REvil’s prior domains. The data on these new sites was a mixture of data from past REvil assaults, as well as data from fresh victims.

Despite the fact that these actions plainly suggested that REvil had rebranded as the new unknown organization, the Tor sites had previously shown a notice in November indicating that “REvil is evil.”

Because other threat actors or law enforcement agencies got access to REvil’s TOR sites as a result of this access, the websites themselves were not conclusive evidence of the gang’s reappearance.

According to security researcher R3MRUM, the REvil sample has had its version number altered to 1.0, but it is really a continuation of the previous version, 2.08, that was provided by REvil before they were forced to close their doors permanently.

As BleepingComputer reports, in light of the deteriorating ties between the United States and Russia, it is no surprise that REvil has been renamed under the new operation.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtubeand Instagram for more cybersecurity news and topics.

Source

REvil ransomware (also known as Sodin) was discovered in April 2019 and has since been improved to be more difficult to detect. Once infected, it encrypts data and deletes the ransom request message. Upon receiving the message, the victim is informed that a bitcoin ransom must be paid and that, if the ransom is not paid in a timely manner, the demand will double.

REvil is an excellent example of Ransomware as a Service (RAAS), a type of cybercrime where two parties collaborate on a hack: the code writers who create the ransomware and the affiliates who distribute it and collect the payment. Sodinokibi ransomware is particularly damaging for businesses of all sizes because of this characteristic. The ransomware Sodinokibi, also known as Sodin or REvil, quickly rose to become the world’s fourth most widely disseminated malware, mostly affecting businesses in the United States and Europe.

What Happened?

While tensions between Russia and the United States are escalating, the famed REvil ransomware operation has reappeared, this time with new infrastructure and a tweaked encryptor that allows for more targeted attacks.

The Russian government said after the invasion of Ukraine that the United States had withdrawn from the negotiations with the REvil gang and had shut off communications connections with the group.

After a short period of time, the old REvil Tor infrastructure started to function again, but instead of redirecting users to the previous domains, they routed them to URLs for a new nameless ransomware operation instead.

The fact that the old infrastructure was referring to the new sites showed that REvil was most likely running again, even if the new websites looked nothing like REvil’s prior domains. The data on these new sites was a mixture of data from past REvil assaults, as well as data from fresh victims.

Despite the fact that these actions plainly suggested that REvil had rebranded as the new unknown organization, the Tor sites had previously shown a notice in November indicating that “REvil is evil.”

Because other threat actors or law enforcement agencies got access to REvil’s TOR sites as a result of this access, the websites themselves were not conclusive evidence of the gang’s reappearance.

According to security researcher R3MRUM, the REvil sample has had its version number altered to 1.0, but it is really a continuation of the previous version, 2.08, that was provided by REvil before they were forced to close their doors permanently.

As BleepingComputer reports, in light of the deteriorating ties between the United States and Russia, it is no surprise that REvil has been renamed under the new operation.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtubeand Instagram for more cybersecurity news and topics.

Source

More from author

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Advertismentspot_img

Latest posts

Senators Urge FTC to Probe ID.me Over Selfie Data – Krebs on Security

Some of more tech-savvy Democrats in the U.S. Senate are asking the Federal Trade Commission (FTC) to investigate identity-proofing company ID.me for “deceptive statements”...

Personal Information of Nearly Two Million Texans Exposed

The personal information of nearly two million Texans was exposed for nearly three years due to a programming issue at the Texas Department of...

Critical VMware Bug Exploits Continue, as Botnet Operators Jump In

Recently uncovered VMware vulnerabilities continue to anchor an ongoing wave of cyberattacks bent on dropping various payloads. In the latest spate of activity,...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!