Regular ransomware watchers will remember REvil’s heyday, which wasn’t that long ago. In a previous article, Ransomware.org highlighted their greatest hits, featuring the most famous ransomware attack of all.
In a bit of poetic justice, REvil was itself hacked last October, as reported here. Its backups were compromised—a favorite tactic of REvil and other criminal ransomware organizations.
The attacks listed earlier were all from 2021; REvil hadn’t been heard from in 2022.
Until now. BleepingComputer reported that numerous signposts point to the fact that the group has been revived. For instance, their infrastructure started back up, and its Tor servers directed visitors to URLs for a new ransomware operation. Given that the old infrastructure was being used, it’s likely that it’s simply a rebranded REvil operation.
Some experts aren’t so sure it’s another REvil variant, however. Tech Monitor quoted several who theorized that someone is trying to piggyback on REvil’s reputation, or that perhaps Russian law enforcement is using the REvil name to lure in former members.
BleepingComputer said that a sample of a ransomware encryptor used by the reconstituted version of REvil was “compiled from source code and includes new changes.” If true, as the sources contend, it would be strong evidence that the new REvil is related to the old REvil.