Has REvil REturned?

They’re baaaccckkkk.

The notorious ransomware gang REvil has popped up on the radar again, after a rough early 2022 that saw multiple members arrested by authorities.

Regular ransomware watchers will remember REvil’s heyday, which wasn’t that long ago. In a previous article, Ransomware.org highlighted their greatest hits, featuring the most famous ransomware attack of all.

• A major ransomware attack on Brazilian meat producer JBS in May 2021, which shut down plants in the U.S., Australia, and Brazil. An $11 million ransom was demanded and, reportedly, paid. Within days, the FBI blamed REvil for the attack by name.
• An April 2021 attack on Apple chip maker Quanta Computer. After the $50 million ransom was not paid, the group released data on forthcoming Apple laptops.
• An attack in July 2021 on 50-60 managed service providers (MSPs) using the Kaseya VSA remote management software, which impacted up to 1,500 of their customers. The ransom demanded was a reported world record $70 million, which Kaseya said it did not pay.   
• The attack on Colonial Pipeline that forced millions of people in the northeast of the U.S. to queue for gasoline. Colonial reportedly paid $4.4 million in Bitcoins, some of which was later recovered by the U.S. authorities in obscure circumstances. Although claimed by the DarkSide group, the malware used was based on REvil’s.

In a bit of poetic justice, REvil was itself hacked last October, as reported here. Its backups were compromised—a favorite tactic of REvil and other criminal ransomware organizations.

The attacks listed earlier were all from 2021; REvil hadn’t been heard from in 2022.

Until now. BleepingComputer reported that numerous signposts point to the fact that the group has been revived. For instance, their infrastructure started back up, and its Tor servers directed visitors to URLs for a new ransomware operation. Given that the old infrastructure was being used, it’s likely that it’s simply a rebranded REvil operation.

Some experts aren’t so sure it’s another REvil variant, however. Tech Monitor quoted several who theorized that someone is trying to piggyback on REvil’s reputation, or that perhaps Russian law enforcement is using the REvil name to lure in former members.

BleepingComputer said that a sample of a ransomware encryptor used by the reconstituted version of REvil was “compiled from source code and includes new changes.” If true, as the sources contend, it would be strong evidence that the new REvil is related to the old REvil.