New evidence has emerged that the infamous REvil ransomware (opens in a new tab) is back with vengeance, as recently discovered samples imply that the organization is now blind in opting for its targets.
Secureworks cybersecurity researchers analyzed new malware samples (opens in a new tab) recently uploaded to VirusTotal and concluded that whoever it was likely had access to REvil’s source code in the past.
This has led investigators to likely being the same organization whose operations were halted in late 2021.
Share your opinion on cybersecurity and get a loose copy of the Hacker’s Manual 2022 (opens in a new tab). complete this survey (opens in a new tab) to get the bookazine, valued at $10. 99/$10. 99.
“The identity of several samples containing other modifications and the absence of a new official edition imply that REvil is in development,” the researchers said in a blog post releasing the news.
A new REvil leak site has recently emerged. This maximum recent sample, along with an older sample, discovered in October last year, implies that REvil is active again.
In those new releases, the researchers spotted updates to the string decryption logic, making it a new command line argument. The encrypted public keys have been updated, along with the configuration garage location and knowledge format for partner tracking.
But perhaps the biggest update is the removal of banned regions. Previous versions of REvil checked the geographical location of the damaged terminal and, if it met certain criteria (for example, if it was in a Russian-speaking community), it was not activated.
This is no longer the case.
“The October 2021 REvil pattern removed code that verified that the ransomware did not run on a formula that resided in a banned region,” the CTU researchers wrote. “This removal allowed REvil to run on any formula, regardless of its location. “
First, REvil was shut down after a joint U. S. -Russian operation, in which the Russians arrested more than a dozen members.
As Russia’s invasion of Ukraine soured relations between Russia and the United States, the U. S. government has not been able to do sour. The U. S. government moved forward and unilaterally shut down its cybersecurity communication channel with Moscow. As a result, the United States also withdrew from the REvil-related negotiation procedure.
Prior to the Secureworks analysis, cybersecurity corporations warned about the resurgence of REvil and added Avast, Advanced Intel, R3MRUM, and s.
Via: The Registry (opens in a new tab)
Sead is a veteran freelance journalist in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, knowledge gaps, legislation and regulations). During his career, which spans more than a decade, he has written for many media outlets in addition to Al Jazeera Balkans. He has also organized several modules on content writing for Represent Communications.
Subscribe to the TechRadar Pro newsletter to get all the news, opinions, features and tips your company wants to succeed!
Thank you for signing up for TechRadar. You will get a verification shortly.
There is a problem. Refresh the page and check again.
TechRadar is part of Future US Inc. , a leading foreign media organization and virtual publisher. Visit our company (opens in a new tab).