REvil, a formidable Ransomware-as-a-Service (RaaS) operation that first came to light at the end of April 2019, has made a return. After six months of inactivity—following the raid by Russian authorities—the ransomware group seems to have resumed operation.
Analysis of new ransomware samples reveals that the developer has access to REvil’s source code, meaning that the threat group has re-emerged. These suspicions were further reinforced when the ransomware crew’s site relaunched on the dark web.
We’ve seen plenty of ransomware groups before, but what makes REvil special? What does the group’s return mean for the cyber world? Let’s find out!
What Makes REvil Ransomware Unique?
REvil built a reputation for going after high-profile and highly-lucrative targets and demanding exorbitant payments from its victims. It’s also one of the first groups to adopt the double extortion tactic in which they exfiltrated the victim’s data and encrypted it.
The double extortion ransomware scheme allows REvil to demand two ransoms for high financial gains. In an interview with Russian OSINT, the group developers claimed they made more than $100 million in one year by targeting large enterprises. However, only a fraction of it went to the developers, while the affiliates got the lion’s share.
Major REvil Ransomware Attacks
The REvil ransomware group has been behind some of the biggest ransomware attacks of 2020-21. The group first came into the limelight in 2020 when it attacked Travelex, ultimately leading to the company’s demise. The following year, REvil started making headlines by staging highly-lucrative cyber attacks that disrupted public infrastructure and supply chains.
The group attacked companies like Acer, Quanta Computer, JBS Foods, and the IT management and software provider Kaseya. The group likely had some links to the notorious Colonial Pipeline attack, which disrupted the fuel supply chain in the US.
Following the Kaseya REvil ransomware attack, the group went silent for some time to mitigate the unwanted attention it had brought to itself. There was much speculation that the group was planning a new series of attacks in summer 2021, but the law enforcement had other plans for REvil’s operators.
Day of Reckoning for the REvil Cyber Gang
As the notorious ransomware gang resurfaced for new attacks, they found their infrastructure being compromised and turned against them. In January 2022, the Russian state security service FSB announced it had disrupted the group’s activities at the request of the United States.
Several gang members were arrested, and their assets seized, including millions of US dollars, euros, and rubles, as well as 20 luxury cars and cryptocurrency wallets. The REvil ransomware arrests were also made in eastern Europe, including Poland, where authorities held a suspect in the Kaseya attack.
The downfall of REvil after the arrests of key group members was naturally welcomed in the security community, and many assumed that the threat had passed entirely. However, the sense of relief was short-lived as the gang has now restarted its operations.
The Resurgence of REvil Ransomware
Researchers from Secureworks analyzed a malware sample from March and hinted that the gang might be back in action. The researchers found that the developer likely has access to the original source code used by REvil.
The domain used by the REvil leak website also began operating again, but it now redirects visitors to a new URL where more than 250 REvil victim organizations are listed. The list contains a mix of REvil’s old victims and a few new targets.
Oil India—an Indian petroleum business company—was the most prominent of the new victims. The company confirmed the data breach and was served with a $7.5 million ransom demand. While the attack caused speculation that REvil was resuming operations, there were still questions about whether this was a copycat operation.
The only way to confirm REvil’s return was to find a sample of the ransomware operation’s encryptor and see if it was compiled from the original source code.
In late April, Avast researcher Jakub Kroustek discovered the ransomware encryptor and confirmed it was indeed a REvil variant. The sample didn’t encrypt files but added a random extension to files. Security analysts said it was a bug introduced by the ransomware developers.
Multiple security analysts have stated that the new ransomware sample ties to the original source code, meaning that someone from the gang—for instance, a core developer—must have been involved.
The Composition of REvil’s Group
The reappearance of REvil after the alleged arrests earlier this year has raised questions about the group’s composition and its ties to the Russian government. The gang went dark due to successful US diplomacy before the start of the Russia-Ukraine conflict.
For many, the sudden resurgence of the group suggests that Russia may want to use it as a force multiplier in the ongoing geopolitical tensions.
Since no individual has been identified yet, it’s unclear who is behind the operation. Are these the same individuals that ran the previous operations, or has a new group taken over?
The composition of the controlling group is still a mystery. But given the arrests earlier this year, it’s likely that the group might have a few operators who weren’t previously part of REvil.
For some analysts, it isn’t uncommon for ransomware groups to go down and reappear in other forms. However, one can’t entirely eliminate the possibility of someone leveraging the brand’s reputation to make a foothold.
Protection Against REvil Ransomware Attacks
The arrest of REvil’s kingpin was a big day for cybersecurity, especially when ransomware groups were targeting everything from public institutions to hospitals and schools. But as seen with any disruption to online criminal activity, it didn’t mean the end of the ransomware pandemic.
The danger in the case of REvil is the double extortion scheme in which the group would try to sell your data and tarnish a brand’s image and customer relationships.
In general, a good strategy to counter such attacks is to secure your network and conduct simulation tests. A ransomware attack often occurs due to unpatched vulnerabilities, and simulation attacks can help you identify them.
Another key mitigating strategy is to verify everyone before they can access your network. As such, a zero-trust strategy can be beneficial as it works on the basic principle of never trusting anyone and verifying every user and device before granting them access to network resources.