Earlier this year, Russian authorities effectively shut down the REvil ransomware gang after the arrest of several of its members. It was announced the operation was successful after Russian and U.S. law enforcement agencies cooperated to identify and locate the members of the gang. This cooperation caused threat actors to panic, and many members discussed on dark web forums that this may mark the end of ransomware. Prior to the arrests, threat actors believed there was an unwritten rule that allowed cyber criminals to operate within Russia so long as they did not attack organizations with Russian interests. After Russia’s unprovoked invasion of Ukraine, the United States halted all cooperation with Russia and condemned their actions in Ukraine. This led to a breakdown in investigative cooperation between Russian and U.S. law enforcement agencies regarding cybercrime. Recently, researchers and members on criminal forums have noticed REvil’s Tor infrastructure has come back, although users are redirected to a site for an unnamed ransomware operation. There was discussion surrounding REvil’s return, with many dark web users believing the group now works directly for Russian authorities. BleepingComputer reported that multiple threat researchers obtained a malware sample that indicates REvil has returned. Researchers believe that one of the previous core developers has relaunched the operation.
Analyst Notes
It is now believed that Russia’s cooperation and arrest of REvil members was a political move to distract global attention from their aggression against Ukraine. It is possible Russia is now allowing the members to relaunch their operation and could even be identifying victims for the gang. It is also possible that members of the group that were not arrested have rebranded and relaunched the group. Ransomware groups that are taken down or disappear often return under a new name to avoid detection and attention. It would be strange for members of the group that avoided being arrested to come back with the same name as they will instantly have the attention of global law enforcement agencies. Binary Defense analysts will continue to monitor the situation for any relevant developments.
https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/
