Evidence continues to mount that members of the defunct REvil group could be reviving the ransomware gang, but cybersecurity experts doubt the group will have the same impact as it once did.
On April 29, anti-malware company Avast announced that the company’s software had blocked a ransomware sample that appears to have been generated using information only previous members of the REvil group could access. The discovery of the file comes more than a week after cybersecurity firm Emsisoft revealed that the web address of REvil’s leak site now points to a new host that both uses the REvil name and claims to be a US university and oil company in to have compromised India.
Those two breadcrumbs suggest someone (or someone) has access to the REvil group’s source code and infrastructure and may be restarting the operation, says Brett Callow, threat analyst at Emsisoft. However, they don’t prove that the old crew is getting back together.
“These facts don’t necessarily prove… that the old REvil gang are back,” he says. “Instead, they simply indicate that one or more people previously associated with the operation have decided to take the reins.”
In any case, the group’s apparent revival underscores the difficulties that cybersecurity professionals, law enforcement agencies, and prosecutors have in disrupting successful cybercriminal groups.
After the critical attacks on Meat processor JBS and IT management company Kaseya In 2021, REvil was closed for a few months but reappeared in September. Then, in January, Russian officials reportedly arrested 14 members of the group and searched more than two dozen locations. Raising hopes that the takedown would last.
Instead, the group appears to have fragmented, with members working on other ransomware operations. Now, some members may be making a half-hearted attempt to revive the REvil brand, but the tepid revival begs the question of what constitutes a group, as a few satellite members working together to replicate the ransomware gang’s operation don’t seem to be doing so pose an equal threat, Callow says.
“The fact that the new operation appears to be linked to REvil doesn’t make the threat it poses any more or less serious,” he says, adding that he finds it “somewhat surprising that the ransomware is being revived, after being compromised by law enforcement agencies believe affiliates and service providers would not have confidence in the integrity of REvil-related operations.”
Broken malware, bold claims
The latest concerns about another REvil revival come after Callow posted a screenshot of the redirected leak blog on Twitter on April 20 and – more than a week later – Avast security researcher Jakub Kroustek Screenshots posted from malware which may have been a test as it wasn’t trying to encrypt anything.
“This sample was discovered in what is known as ‘in-the-wild’, ie in our user base on one of Avast’s protected computers,” Kroustek said in an email interview with Dark Reading. “We believe this machine belongs to a threat actor who used it to test detection capabilities. These were obviously solid enough to trigger detection.”
He added that the malware sample, which he says hasn’t been captured by any other company, suggests it extends the capabilities of the original REvil ransomware.
“The code itself doesn’t look any more dangerous compared to previous versions, [but] the simple fact that we are seeing this threat active again is disturbing,” he said. “Furthermore, the discovered sample was modified in such a way that its core function, file encryption, was disabled. This may indicate that the actor is testing and developing it for future malware campaigns.”
The reappearance isn’t the first time groups have claimed the REvil mantle, either. A year ago, a group called Prometheus began compromising a multitude of organizations – at least 30 by mid-2021 – Claiming a faint legacy that ties the group to REvil.
Also, REvil isn’t the only group with nine lives. In early April, a group called Black Cat, or ALPHV – which may include operators of the now-defunct BlackMatter group as members – began with a tool called FENDR, previously only available to the BlackMatter group. Also, the Emotet botnet came back from the dead last November, more than 10 months after an international law enforcement task force working with tech companies shut down the endemic Trojan.
Ransomware continues to wreak havoc
Despite the seeming chaos of groups disappearing, re-forming, and renaming, ransomware continues to grow as a threat to businesses, their data, and their operations. In A recent poll43% of organizations reported having data encrypted by ransomware in 2021, up from 20% in 2020. Additionally, the average ransomware paid to attackers quadrupled to more than $800,000, with a total cost of 1 $.4 million to fix the average attack.
With such tempting prizes, it’s almost impossible to root out cybercriminals protected by some foreign jurisdictions, says Emsisoft’s Callow.
“We speak of ‘groups’, but the reality is that outside of the core membership, these are amorphous collections of individuals who provide services or ‘rent’ access to ransomware to use in attacks – and some of these individuals are collaborating with several groups at the same time,” he says. “You cannot exterminate groups. They can only make it harder for them to operate. It’s just about increasing their risks while decreasing their rewards.”
#REvil #Revival #Ransomware #Gangs