New evidence has surfaced indicating that the renowned REvil ransomware is back with a vengeance, with freshly recovered samples indicating that the gang is now indiscriminate in its target selection.
Secureworks cybersecurity researchers reviewed fresh malware samples recently uploaded to VirusTotal and concluded that whomever was behind it had previous access to REvil’s source code.
This prompted the researchers to think that this is the same organization that was shut down in late 2021.
The researchers said in a blog post reporting the finding, “The detection of many samples with distinct changes and the lack of an official new version imply that REvil is under active development.”
A new REvil leak site has appeared recently. This latest sample, along with one discovered in October of last year, all point to REvil being active once more.
Researchers discovered improvements in the string decryption algorithm in these latest versions, requiring it to use a new command-line option.
Hard-coded public keys, as well as the configuration storage location and data format for affiliate tracking, have all been modified.
The elimination of off-limits areas is likely the most significant shift.
REvil used to examine the geographical location of the infected endpoint and would not activate if it fulfilled specific requirements (for example, if it was in a Russian-speaking community).
This isn’t the case anymore.
The CTU researchers noted that “the October 2021 REvil sample deleted code that confirmed the ransomware was not operating on a machine that belonged within a banned zone.”
“With this removal, REvil could run on any machine, no matter where it was.”
To read our blog on “Tor Servers of REvil have reactivated,” click here.