It is clear: REvil is active again and is again making victims. Several Tor pages of the Russian hackers are back online. These also contain names of new victims and newly captured data from previous targets. The real evidence that REvil is back up and running comes from a sample of a new ransomware attack. According to security researchers, it is unmistakably REvil.
That writes BleepingComputer .
REvil goes into hiding
If you follow the latest developments in the field of cybersecurity, the name REvil will certainly sound familiar. It is a hacker group that carries out ransomware attacks from Russia. They infiltrate victims’ computer systems and infect them with ransomware. Employees can then no longer open and consult these files. The only way to remove the digital lock is to pay a ransom.
In the past, REvil has caused numerous victims in this way, including money exchange office Travelex, the Brazilian meat producer JBS and the American ICT service provider Kaseya. In the summer of 2021, the hacker group was suddenly nowhere to be seen online. All kinds of sites suddenly went black, the helpdesk was no longer reachable and REvil spokesperson Unknown was banned from the hacker forum XSS.
In September, the sites were suddenly accessible again, albeit for a short period of time. A month later, the FBI said it had taken REvil’s entire infrastructure offline. Several leaders have been arrested in the US, Germany and Russia in recent months.
Security Researchers Are Sure: REvil Is Back
That seemed like the end of exercise for REvil. Until last month a number of servers of the hacker group were suddenly active again, including the Happy Blog and Tor payment site. The names of new victims also appeared online.
Still, security experts were sceptical that REvil had actually risen from the dead. To make sure, a sample of a new victim’s ransomware encryptor had to be analyzed. That has already happened. According to Jakub Kroustek, a security analyst at AVAST, confirms on Twitter that the malware actually comes from REvil.
Kroustek isn’t the only expert to note REvil’s resurrection. BleepingComputer claims to have spoken to several security experts, and they all say the same thing: the malware they studied contains source code developed by REvil. The code has been patched at some points.
REvil signs with the name Sodinokibi
BleepingComputer tested the ransomware and saw that it generated a readme.txt. It contains details to pay the ransom. What the tech site did notice is that the group did not call itself REvil, but Sodinokibi in the ransom document. That is a pseudonym under which the hacker group operates. The content, on the other hand, is almost the same. Finally, the readme.txt file contains no reference to REvil spokesperson Unknown.
Catch up on more articles here
Follow us on Twitter here