October 3, 2022

The notorious ransomware operation known as REvil (aka Sodin or Sodinokibi) has resumed after six months of inactivity, an analysis of new ransomware samples has revealed.

“Analysis of these samples indicates that the developer has access to REvil’s source code, reinforcing the likelihood that the threat group has reemerged,” researchers from Secureworks Counter Threat Unit (CTU) said in a report published Monday.

“The identification of multiple samples with varying modifications in such a short period of time and the lack of an official new version indicates that REvil is under heavy active development once again.”

REvil, short for Ransomware Evil, is a ransomware-as-a-service (RaaS) scheme and attributed to a Russia-based/speaking group known as Gold Southfield, arising just as GandCrab activity declined and the latter announced their retirement.

It’s also one of the earliest groups to adopt the double extortion scheme in which stolen data from intrusions is used to generate additional leverage and compel victims into paying up.

Operational since 2019, the ransomware group made headlines last year for their high-profile attacks on JBS and Kaseya, prompting the gang to formally shut shop in October 2021 after a law enforcement action hijacked its server infrastructure.

Earlier this January, several members belonging to the cybercrime syndicate were arrested by Russia’s Federal Security Service (FSB) in the wake of raids conducted at 25 different locations in the country.

The apparent resurgence comes as REvil’s data leak site in the TOR network began redirecting to a new host on April 20, with cybersecurity firm Avast disclosing a week later that it had blocked a ransomware sample in the wild “that looks like a new Sodinokibi / REvil variant.”

While the sample in question was found to not encrypt files and only add a random extension, Secureworks has chalked it up to a programming error introduced in the functionality that renames files that are being encrypted.

On top of that, the new samples dissected by the cybersecurity firm — which carry a timestamp of March 11, 2022 — incorporate notable changes to the source code that set it apart from another REvil artifact dated October 2021.

This includes updates to its string decryption logic, the configuration storage location, and the hard-coded public keys. Also revised are the Tor domains displayed in the ransom note, referencing the same sites that went live last month –

  • REvil leak site: blogxxu75w63ujqarv476otld7cyjkq4yoswzt4ijadkjwvg3vrvd5yd[.]onion
  • REvil ransom payment site: landxxeaf2hoyl2jvcwuazypt6imcsbmhb7kx3x33yhparvtmkatpaad[.]onion

REvil’s revival is also likely tied to Russia’s ongoing invasion of Ukraine, following which the U.S. backed out of a proposed joint cooperation between the two countries to safeguard critical infrastructure.

If anything, the development is yet another sign that ransomware actors disband only to regroup and rebrand under a different name and pick up right from where they left off, underscoring the difficulty in completely rooting out cybercriminal groups.