Is REvil Ransomware Back Again?

10439354075?profile=RESIZE_400xHas the notorious REvil, aka Sodinokibi, ransomware operation come back? Researchers suspect former developers may have restarted the server and data leak site. On 20 April 2022, the original Happy Blog leak site began redirecting to the new blog, which lists both old and seemingly new victims, including Oil India Limited.  Cybersecurity researchers on Twitter attributed a recent ransomware attack at Oil India Limited to either REvil or imposters using the gang's name.

In early April 2022, at the government-owned Oil India Limited's registered headquarters in Duliajan in Assam's Dibrugarh district, a cyberattack was reported, which led to the company shutting down all its computers and IT systems.  A spokesperson for Oil India Limited, a state-owned enterprise of the Government of India under the administrative control of the Ministry of Petroleum and Natural Gas, was not available to comment.[1]

See:  https://redskyalliance.org/xindustry/it-s-back-revil

Soufiane Tahiri, a France-based independent cybersecurity researcher, reported that after his initial tweets about the REvil activities, the situation evolved and more hints began to point toward the attackers being REvil itself and not a spoof. "The very first thing that made me and some other analysts think it's a group impersonating REvil is the fact that the REvil members have been dismantled recently; their blog went off and we didn't hear from them since then," Tahiri said.

An unnamed source at Oil India shared a screenshot with Tahiri from an infected device that had the exact same ransom note as the one used historically by the notorious REvil group.  In addition, the file extensions of encrypted files are random, like those used by REvil, which also made the source think the attacker was a copycat group, Tahiri stated.  Tahiri said that he considered it possible that the hackers had obtained REvil code and given it a slight tweak, "until yesterday [April 20], when the original blog of REvil started to redirect to the new one. This means at least one thing: Someone has access to the original server, and this same one is the one behind the attacks, with absolutely no doubt."

Tahiri describes himself as one of "a few threat hunters who think that the main former developer is trying to revive REvil with new members." He says this is still speculation and as far as he knows, someone might be using the same REvil ransom note, extension scheme, and look and feel of the previous REvil Happy Blog. But most importantly, he says, this person has access to the actual old REvil server which, as of Wednesday, has started to redirect to the new blog.

The new blog's use of RuTOR, which is a Russian forum marketplace, is generally not used for a ransomware-type activity. The advertising for affiliates is also interesting: The dark web forum they have chosen to host their auto-guarantor form, through which affiliates can apply, is not the typical choice for threat actors, or at least actors considered as 'elite' as REvil. This, coupled with the use of names associated with other ransomware gangs on the site, gives cause to be skeptical about this new group's true identity and affiliation to the original team.

On 21 March 2022, US President Joe Biden said: "Today, my administration is reiterating those [previous] warnings based on evolving intelligence that the Russian government is exploring options for potential cyberattacks. ... My administration will continue to use every tool to deter, disrupt, and if necessary, respond to cyberattacks against critical infrastructure. ... [And] we need everyone to do their part to meet one of the defining threats of our time."

Investigators have reported that a possible reason for the site's reemergence relates to Russian reports that the communication channels between Russia and the U.S. on cybersecurity issues had been closed just a fortnight ago, which is being inferred to mean that Moscow has allowed the once-arrested REvil gang to resume activities.  It has not been confirmed that the blog is run by the same REvil team, and other actors have been seen using versions of the malware in previous months. But the fact that Ravil's former onion address redirects to this new leak site suggest at least some degree of connection to the original group.

Sam Curry, the chief security officer at Cybereason, says that the speedy takedown of REvil in January took the world by surprise. It appeared that Russia had been playing nicely with the world order and that a rapprochement with the West - and with the Biden administration, specifically was a real possibility.  "A month later, with the invasion of Ukraine and then the nationalization of ransomware cartels like the Conti group, the perspective changed.  Now, if the reports are to be believed, the return of REvil to the cyber world begs the question: Is this the return of the 'suicide squad' for another mission, or was it law enforcement all along?" Curry said.

The redirect could only have been set up by somebody with access to REvil's servers and that list could include law enforcement, unknown third parties, and, of course, members of REvil.  Russian government involvement is also a possibility. Prior to the apparent reemergence of REvil, Natalia Tkachuk, head of the Information Security and Cybersecurity Service, which is part of the National Security and Defense Council of Ukraine, suggested in an interview with Recorded Future's The Record that the earlier Russian arrest of REvil participants was likely part of a special operation aimed either at hiding criminals from Western law enforcement agencies "or at directing them to work for the government. It is possible that some representatives of these detained groups are already involved in the planning and execution of cyberattacks on Ukrainian infrastructure."

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.   For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com    

 

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings:

https://attendee.gotowebinar.com/register/5504229295967742989

 

[1] https://www.bankinfosecurity.com/whos-behind-attempt-to-reboot-revil-ransomware-operation-a-18937

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!