New REvil samples indicate the comeback of the REvil gang


New REvil samples indicate the comeback of the REvil gang

An analysis of new ransomware samples has revealed that the notorious ransomware operation known as REvil has resumed after six months of inactivity.


Known as Ransomware Evil, REvil is a ransomware-as-a-service (RaaS) scheme attributed to a Russia-based group known as Gold Southfield. Earlier this year, several members belonging to the cybercrime gang were arrested by Russia's Federal Security Service.


While the sample was found to not encrypt files and only add a random extension, an error has been introduced in the functionality that renames files that are being encrypted. The researchers noted the Gold Southfield malware uses much of the same source code as older REvil samples and much of the same infrastructure to host and disclose its victims.


Analysis of these samples indicates that the developer has access to REvil's source code, reinforcing the likelihood that the threat group has reemerged. The identification of multiple samples with varying modifications in such a short period of time and the lack of an official new version indicates that REvil is under heavy active development once again.


Operational since 2019, the ransomware group made headlines last year for their high-profile attacks on JBS and Kaseya, prompting the gang to formally shut down in October 2021 after a law enforcement action hijacked its server infrastructure.


The RaaS model has proven itself to be highly lucrative for the group, as REvil and its members have hauled in millions of dollars in extortion and ransom payments. After the recent resurgence, experts warn that ransomware incidents could potentially see a jump as one of the most prolific operation returns.


Copyright @1999-2022 - All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission of Kalinga Digital Media Pvt. Ltd. is prohibited.
Other Initiatives : |