After being announced by researcher Pancak3 and reported by ZDNet, it is now public that the REvil ransomware gang has purchased the source code to the KPOT stealer at the initial asking price of $6,500 USD. KPOT is used to steal passwords saved in web browsers, VPN clients, instant messaging applications and many others. Ransomware threat actors often make use of stolen passwords to expand their access to more systems and escalate privileges to gain more control over corporate networks before launching ransomware to affect as many computers as possible. With this acquisition, REvil now opens itself to incorporating the stealer and improving upon the code base as the original developer desires to move away to other projects. Secureworks® Counter Threat Unit™ (CTU) analysis has suggested that REvil is likely associated with the now disbanded GandCrab ransomware group due to similar code patterns and the emergence of REvil as GandCrab activity declined.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in