A return from the dead? REvil showing signs of life

Ransomware gang REvil creeping back in

I’ve covered the happenings of REvil for a long while now, as the four readers out there may already know.  With recent events, I’ve jumped back into the recent happenings concerning REvil. Back in October 2021, their operations took a serious blow with major arrests subsequently occurring in January 2022.

Given the nature of ransomware gangs, malware, and the sociopathic nature of the internet, I knew taking down one entity was not the end to ransomware gangs. But it was cathartic to see, since the initial downfall of REvil was the result of international cooperation and hard work in the cybersecurity sector.

But political circumstances and global turmoil – the Russian invasion of Ukraine, mainly – created a hotbed of chaos. And what do ransomware gangs love? Instability. Chaos is the perfect foundation to engineer malware campaigns. The short version here, meaning, with political tensions climaxing and the United States condemning Putin’s acts, cybersecurity cooperation fell apart. Again, the takedown of REvil was the work of a lot of people across the pond, which is how they were able to restart operations.

Pperators in the REvil space have returned with renewed infrastructure and attack targets.

Summation of Return

  • In January 2022, the FSB reported they conducted multiple arrests of REvil members
  • February sees the Russian invasion of Ukraine and thus diplomacy between the US and Russia breaks down
  • In April 2022, communication between cybersec teams is cut off (among everything else)
  • Beginning of May 2022, operations of REvil restart

According to reports, visiting REvil’s old TOR domains redirects to a new one, containing similar operations and lists of victims. Given the nature of the redirect, it’s safe to assume REvil’s has returned, even if not at full capacity.

Worse though, the environment in which they operate allows REvil a more vicious profile than ever. For one, Russia’s continued systemic invasion and aggression mean they’ll exploit their advantages. Therefore, turning a “blind eye” to REvil’s acts, among other Russian-centric malware gangs, means REvil has free reign to conduct malicious campaigns with zero fear of repercussion. Additionally, the collapse of the cybersecurity cooperation will only embolden them in the months/years to come, since international effort was what stopped them in the first place.

To verify the return, malware analyst director Jakub Kroustek identified a new REvil ransomware variant.

According to other reports, REvil was able to resume operations with some of its original team – namely the primary developer – who used the primary source code and had access to REvil’s previous infrastructure.

What happens now?

While REvil isn’t likely to make a full-force return to its previous strength, its rebound is noted and a painful consequence of Putin’s actions and communication breakdowns. More so, ransomware gangs like REvil will return to their previous threat campaigns, while also targeting Ukraine-centric infrastructure, along with the United States. REvil has also demonstrated a “loud” return to the forefront, which emphasizes their confidence. Normally, when ransomware gangs or malicious entities return, they do so quietly to avoid penalties and law enforcement.

As for general operations and infrastructure in the United States, it’s more the same. High alert, proactive defense, and ransomware awareness are still the name of the game. Any organization which has taken steps to defend itself from ransomware, especially connections incoming from Russian and Russian-adjacent sources, should continue doing so. Keeping up with CISA and other ransomware-based news will also keep organizations on their toes related to ransomware.

While REvil isn’t back at full force (and it remains to be seen if they will), it highlights the agility and resilience cybersecurity threats present.

-Douglas James

It’s more important than ever to remain secure. For additional information about network security, contact Bytagig today.

Share this post: