The notorious REvil ransomware gang is back, confirmed by analysis of an encryptor that ties new ransomware found in the wild to the criminal organization. Further research confirms that the new software was compiled from original, hard-to-obtain source code, and generates a ransom note nearly identical to those generated by ransomware known to be used by REvil.
On January 15th, 2022, Russia’s FSB (Federal Security Service) dismantled the infrastructure of the REvil ransomware gang while also arresting 14 suspects. The event marked one of the last cooperative efforts between Russia and the US law enforcement before the start of Russia’s war with Ukraine, on Feb. 24th. REvil’s Tor sites were also hijacked in October of last year, which ultimately proved to be but a temporary disruption for the group.
Before the outbreak of the Russia-Ukraine war, there was an unspoken agreement between major dark web threat actors that targets were not to include nations in the CIS (Commonwealth of Independent States, a group of countries that comprised the former USSR). After the start of the war, however, this dynamic seems to have changed, with some groups pledging to help Russia while other have pledged to help Ukraine.
In example, Conti, a particularly notorious ransomware group known for being indiscriminate in their targets, pledged “full support of Russian government” after the outbreak of the war, vowing retaliation upon those who organize “a cyber attack or any war activities against Russia.” To counter this, a group of Ukraine-aligned actors publicly released Conti chat log dumps on Twitter, with their contents described as “everything from the mundane details of how Conti is organized to new anecdotes about the group’s possible links to the Kremlin”.
The takedown of the Hydra darknet market on April 5th is also largely seen as a move to cripple the financial infrastructure of Russia’s cybercriminals, cutting their options to cash out proceeds obtained from ransomware operations.
According to analysts at Binary Defense, many dark web users believe REvil is now working directly with the Russian government, and that Russia’s arrest of 14 REvil-related individuals in January was “a political move to distract global attention from their aggression against Ukraine.”
REvil made some of their first global headlines in May 2021, when they were found to be responsible for an attack on JBS S.A., a Brazil-based meat processing company, which affected facilities located in Canada, the U.S., and Australia.