New REvil Samples Indicate Ransomware Gang is Back After Months of Inactivity

The notorious ransomware operation known as REvil (aka Sodin or
Sodinokibi) has resumed after six months of inactivity, an analysis
of new ransomware samples has revealed.

“Analysis of these samples indicates that the developer has
access to REvil’s source code, reinforcing the likelihood that the
threat group has reemerged,” researchers from Secureworks Counter
Threat Unit (CTU) said^[1]
in a report published Monday.

“The identification of multiple samples with varying
modifications in such a short period of time and the lack of an
official new version indicates that REvil is under heavy active
development once again.”

REvil, short for Ransomware Evil, is a ransomware-as-a-service
(RaaS) scheme and attributed to a Russia-based/speaking group known
as Gold Southfield^[2], arising just as
GandCrab^[3]
activity declined and the latter announced their retirement.

It’s also one of the earliest groups to adopt the double
extortion scheme in which stolen data from intrusions is used to
generate additional leverage and compel victims into paying up.

Operational since 2019^[4], the ransomware group
made headlines last year for their high-profile attacks on JBS^[5]
and Kaseya^[6], prompting the gang to
formally shut shop in October 2021 after a law enforcement action^[7]
hijacked its server infrastructure.

Earlier this January, several members^[8]
belonging to the cybercrime syndicate were arrested by Russia’s
Federal Security Service (FSB) in the wake of raids conducted at 25
different locations in the country.

The apparent resurgence comes as REvil’s data leak site in the
TOR network began redirecting^[9]
to a new host on April 20, with cybersecurity firm Avast disclosing
a week later that it had blocked^[10] a ransomware sample in
the wild “that looks like a new Sodinokibi / REvil variant.”

While the sample in question was found to not encrypt files and
only add a random extension, Secureworks has chalked it up to a
programming error introduced in the functionality that renames
files that are being encrypted.

On top of that, the new samples^[11] dissected by the
cybersecurity firm — which carry a timestamp of March 11, 2022 —
incorporate notable changes to the source code that set it apart
from another REvil artifact dated October 2021.

This includes updates to its string decryption logic, the
configuration storage location, and the hard-coded public keys.
Also revised are the Tor domains displayed in the ransom note,
referencing the same sites that went live last month –

• REvil leak site:
  blogxxu75w63ujqarv476otld7cyjkq4yoswzt4ijadkjwvg3vrvd5yd[.]onion
• REvil ransom payment site:
  landxxeaf2hoyl2jvcwuazypt6imcsbmhb7kx3x33yhparvtmkatpaad[.]onion

REvil’s revival is also likely tied to Russia’s ongoing invasion
of Ukraine, following which the U.S. backed out of a proposed joint
cooperation^[12] between the two
countries to safeguard critical infrastructure.

If anything, the development is yet another sign that ransomware
actors disband only to regroup and rebrand under a different name
and pick up right from where they left off, underscoring the
difficulty in completely rooting out cybercriminal groups.