{"id":18950,"date":"2022-05-05T04:10:05","date_gmt":"2022-05-05T12:10:05","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/05\/05\/news-12683\/"},"modified":"2022-05-05T04:10:05","modified_gmt":"2022-05-05T12:10:05","slug":"news-12683","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/05\/05\/news-12683\/","title":{"rendered":"It’s business as usual for REvil ransomware"},"content":{"rendered":"

Credit to Author: Jovi Umawing| Date: Thu, 05 May 2022 11:24:03 +0000<\/strong><\/p>\n

After the FBS arrested 14 of its members<\/a> in January, and a subsequent lull in action, the REvil ransomware<\/a> gang appears to be back. We say “appears” because it’s still unclear whether the group’s operations have indeed restarted.<\/p>\n

To the trained eye, REvil’s movements seem out of sorts. When REvil’s old Tor infrastructure came back to life<\/a> in April, it was modified to redirect visitors to URLs owned by a new ransomware group. The sites the nodes point to looked nothing like REvil’s. And its data leak blog is prepopulated with new ransomware victims and old REvil victims.<\/p>\n

“And they are recruiting,” added<\/a> Malwarebytes Threat Intelligence Analyst Marcelo Rivero.<\/p>\n

REvil ransomware: a brief look back<\/h2>\n

When the REvil ransomware gang began its operations in 2019, it started strong. REvil, also known as Sodinokibi or Sodin, was the<\/em> new RaaS (ransomware as a service)<\/a> of the criminal underground, filling the hole GandCrab left behind.<\/p>\n

Like any “big-game hunting<\/a>” operator, REvil only targets high-earning organizations. The logic behind this is that such targets are presumed to pay up, even a high ransom. They presumed correct.<\/p>\n

2021 was the ransomware gang’s last year of activity. REvil attacked JBS<\/a>, one of America’s largest meat and poultry processors, in June. JBS underwent recovery proceedings immediately after the attack, unlike other ransomware victims. It was revealed months after that the company paid REvil<\/a> to the tune of $11M (\u00a37.8M).<\/p>\n

In July, REvil attacked Kaseya<\/a>, the company behind Kaseya VSA, a popular remote monitoring and management software. The ransomware gang asked for a whopping $70M ransom, but the company didn’t pay. Instead, it used a decryption key “from a third party” to decrypt all its encrypted files.<\/p>\n

Many suspected that something was up. Kaseya could not give any more details, as it was bound by an NDA (non-disclosure agreement), but the ransomware gang claimed that the decryptor was leaked by one of its operators<\/a>.<\/p>\n

Is REvil really back?<\/h2>\n

A ransomware sample is needed to dispel speculations on whether REvil has re-emerged or not. Sure enough, cybersecurity researcher Jakub Kroustek (@JakubKroustek<\/a>) discovered one recently.<\/p>\n

\n
\n
\n

A few hours ago, we blocked a #ransomware<\/a> sample in-the-wild that looks like a new #Sodinokibi<\/a> \/ #REvil<\/a> variant. Timestamp 2022-04-27, new config, new mutex, campaign ID, etc. Funny thing… it does not encrypt files; only adds a random extension \"\ud83e\udd14\" 42 BTC https:\/\/t.co\/UL1ECGLpmg<\/a> pic.twitter.com\/A8p5SLjcZr<\/a><\/p>\n

— Jakub Kroustek (@JakubKroustek) April 29, 2022<\/a><\/p><\/blockquote>\n