REvil Revival: Are Ransomware Gangs Ever Really Gone?

The infamous ransomware group appears to be back from the dead — maybe — and using the old brand, but experts question whether a reconstituted gang will have much success.

Skeleton hand rising out of grave at a cemetery amid an ominous background
Source: SunFlowerStudio via Alamy

Evidence that members of the defunct REvil group may be reviving the ransomware gang continues to accumulate, but cybersecurity experts question whether the group will have the same impact that it once did.

On April 29, anti-malware firm Avast revealed that the company's software had blocked a ransomware sample that appeared to be generated using information that only previous members of the REvil group could have accessed. The discovery of the file came more than a week after cybersecurity firm Emsisoft revealed that the Web address of REvil's leak site now points to a new host, using both the REvil name and claiming to have compromised a US university and an oil company in India.

These two breadcrumbs suggest that someone (or someones) has access to the REvil group's source code and infrastructure and may be restarting the operation, says Brett Callow, threat analyst at Emsisoft. They don't, however, prove it's the old crew getting back together.

"These facts do not necessarily prove ... that the old REvil gang is back," he says. "Instead, they simply indicate that one or more people who were previously connected with the operation have decided to pick up the reins."

Either way, the apparent resurrection of the group highlights the difficulty that cybersecurity professionals, law enforcement, and prosecutors have in disrupting successful cybercriminal groups. 

Following the critical attacks on meat processor JBS and IT management firm Kaseya in 2021, REvil shut down for a few months but reappeared in September. Then in January, Russian officials reportedly arrested 14 members of the group and raided more than two dozen locations, raising hopes that the takedown would last.

Instead, the group seems to have fragmented, with members working with other ransomware operations. Now some members may be making a half-hearted attempt to resurrect the REvil brand, but the tepid revival raises the question of what constitutes a group, as a couple of satellite members working together to re-create the ransomware gang's operation would not seem to pose an equal threat, Callow says.

"The fact that the new operation appears to be linked to REvil doesn’t make the threat it poses any more or less serious," he says, adding that he finds it "somewhat surprising to see the ransomware revived as, after being compromised by law enforcement, you’d think affiliates and service providers would have no confidence in the integrity of any operation connected with REvil."

Broken Malware, Bold Claims
The latest concerns over yet another revival of REvil come after Callow posted a screenshot of the redirected leak blog on Twitter on April 20, and — more than a week later — Avast security researcher Jakub Kroustek posted screenshots of malware that may have been a test, as it did not attempt to encrypt anything.

"This sample was detected so called 'in-the-wild,' meaning in our user-base on one of the computers protected by Avast," Kroustek said in an email interview with Dark Reading. "We believe this machine belongs to a threat actor that was using it for testing the detection capabilities. These were obviously solid enough to trigger the detection."

He added that the malware sample, which he said no other firm has captured to date, indicates that they are augmenting the capabilities of the original REvil ransomware.

"The code itself does not look any more dangerous compared to the previous versions, [but] the simple fact that we see this threat active again is disturbing," he said. "Furthermore, the discovered sample was modified in a way that its core feature, file encryption, was disabled. This may indicate that the actor is testing and developing it for future malware campaigns."

Zombie Malware

The reappearance is also not the first time that groups have claimed the REvil mantle. A year ago, a group known as Prometheus started compromising a variety of organizations — at least 30 by mid-2021 — claiming a tenuous heritage linking the group to REvil.

Furthermore, REvil is not the only group with nine lives. In early April, a group known as Black Cat, or ALPHV — and possibly including operators of the now-defunct BlackMatter group as members — began using a tool called FENDR, only previously available to the BlackMatter group. Also, last November, the Emotet botnet came back from the dead, more than 10 months after a task force of international law enforcement teamed with technology companies shut down the endemic Trojan.

Ransomware Continues to Wreak Havoc
Despite the seeming chaos of groups disappearing, reconstituting, and rebranding themselves, ransomware continues to grow as a threat to companies, their data, and their operations. In a recent survey, 43% of companies claimed to have had data encrypted by ransomware in 2021, up from 20% in 2020. In addition, the average ransomware paid to attackers quadrupled to more than $800,000, with a total cost of $1.4 million to remediate the average attack.

With such alluring profits, stamping out cybercriminals protected by some foreign jurisdictions is nearly impossible, says Emsisoft's Callow.

"We talk about ‘groups,’ but the reality is that outside of the core membership, they’re amorphous collections of individuals who provide services or ‘rent’ access to ransomware to use in attacks — and some of these individuals cooperate with multiple groups simultaneously," he says. "You can’t eradicate groups. You can only make it harder for them to operate. It’s all about increasing their risks while decreasing their rewards."

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights