REvil is back. The REvil ransomware gang is an ambitious Ransomware-as-a-Service (RaaS) operation. It first came to light in 2019, as another ransomware gang, known as GandCrab, dissolved into a digital black hole. On occasion, the group is known by other names, including Sodin and Sodinokibi.

What makes REvil unique

REvil has a rap sheet that includes requesting exorbitant payments from corporate victims. Its affiliates are also known for pursuing high levels of financial gain. In ‘underground’ cyber crime forums, REvil’s software is often recommended by cyber criminals as the best choice for maximizing profits.

In an interview, the group’s product developers claimed to have earned more than $100 million USD per year through their operations. The developers are thought to receive just a fraction, roughly 20-30%, of the total funds extorted from victims.

In the past, numerous high-profile organizations have contended with REvil’s ransomware. The group is allegedly responsible for the JBS cyber attack, which affected the global food supply chain, the Kaseya VSA ransomware attack, which affected hundreds of managed service providers, and the Colonial Pipeline attack, which disrupted the oil supply chain in the US.

Wait, but weren’t REvil members arrested?

In January, authorities in Russia announced the disruption of the REvil ransomware gang’s activities. Fourteen of the group’s members were arrested. General operations were halted. The event “marked a rare positive moment” in geopolitical relations, according to the Washington Post.

The takedown occurred in Russia, at the request of the US government, which intended to curtail possibilities for repeats of past cyber security incidents.

At the time, the FSB seized millions of USD, Euros and Rubles, 20 luxury cars, computer equipment, and cryptocurrency wallets containing more than £440,000 worth of Bitcoin from REvil members. A partial video of the sting made its way onto the internet.

However, amidst recent geopolitical tensions, REvil members may have been excused from past offenses. REvil has begun operating again.

REvil ransomware reemergence – technical details

Last week, researchers obtained a sample of a seemingly new ransomware operation’s encryptor. They confirmed ties to the REvil group. Although a few ransomware operations do use REvil’s encryptor, all rely on patched executables as opposed to maintaining direct access to the gang’s source code. Multiple security researchers and malware analysts state that the discovered REvil sample reflects a compilation of source code and includes new changes to the original encryptor.

Closing thoughts

In general, if affected by ransomware, organizations can restore systems from backups. The danger in relation to REvil stems from the fact that the group may try to sell an organization’s data in cyber crime forums, tarnishing a brand’s image and client relationships. This represents another ‘layer’ of the REvil extortion scheme.

In the event that your organization suffers a ransomware attack, pursue mitigation strategies and inform law enforcement agencies of the incident. Work with them to determine which ransomware group conducted the attack.

Further resources

For more information about the REvil ransomware gang, see our past articles:

Lastly, to receive more cutting-edge cyber security news,  best practices and analyses, please sign up for the CyberTalk.org newsletter.