Οι ειδικοί ανέλυσαν ένα νέο δείγμα κακόβουλου λογισμικού και επιβεβαίωσαν την επιστροφή του REvil

Against the background of growing tensions between Russia and the United States, experts analysed samples of the new malware and confirmed the return of REvil cybercriminals with a new ransomware.

After the start of Russia’s invasion of Ukraine, REvil’s TOR sites began to revive, but they did not have the old information, they redirected visitors to the URLs of a new, unnamed ransomware hacker group.

While these sites were not like previous REvil sites, the fact that the old infrastructure was redirecting to new URLs points to the return of grouping. Ωστόσο, in November, messages “REvil is bad” began to appear on the group’s websites. Such access to hacker sites spoke of the actions of law enforcement agencies or cybercriminals, so the revived pages of REvil cannot serve as a strong evidence of the return of the gang.

Jakub Krustek
Jakub Krustek

The only way to know for sure if REvil was back was to find a sample ransomware and analyse it to determine if it was patched or developed from the source code. The right sample of the new ransomware was discovered this week by AVAST researcher Jakub Krustek. Analysis of the sample confirmed the connection of the unnamed group with REvil.

Σύμφωνα με αναλυτές, the discovered sample of the virus was compiled from the REvil source code, and also contains fresh changes. Security researcher R3MRUM tweeted that the sample’s version number has been changed to 1.0, but it is a continuation of the latest version, 2.08, released by REvil before it was destroyed.

A few hours ago, we blocked a #ransomware sample in-the-wild that looks like a new #Sodinokibi / #REvil variant. Timestamp 2022-04-27, new config, new mutex, campaign ID, και τα λοιπα. Funny thingit does not encrypt files; only adds a random extension.Jakub Kroustek reported

The specialist could not explain why the virus does not encrypt files, but believes that it was compiled from source code.

Οι ειδικοί επιβεβαιώνουν την επιστροφή του REvil
Version change in the new REvil encoder

Advanced Intel CEO Vitaly Kremez also examined the sample and confirmed that it was compiled from source on April 26th. According to him, the new REvil sample includes a new ‘accsconfiguration field containing the credentials of the attacked victim.

Kremez believes the ‘accsconfiguration option is used to prevent encryption on other devices that don’t contain the right Windows accounts and domains, allowing targeted attacks.

In addition to theaccs” παράμετρος, the SUB and PID parameters used as Campaign and Branch IDs have been changed in the configuration of the new REvil sample to use longer GUID type values such as “3c852cc8-b7f1-436e-ba3b-c53b7fc6c0e4”.

BleepingComputer also tested a ransomware sample and it created a ransom note that is identical to the old REvil ransom warnings.

Οι ειδικοί επιβεβαιώνουν την επιστροφή του REvil
REvil ransom note

The new group calls themselvesSodinokibi“, however the new site is almost identical to the old Revil site.

Οι ειδικοί επιβεβαιώνουν την επιστροφή του REvil

Not surprisingly, REvil has changed its name as part of the new operation, especially due to the worsening relations between the US and Russia.

When ransomware operations are rebranded, they are usually renamed to bypass law enforcement or sanctions that prevent payment of a ransom. Επομένως, it is unusual for REvil to publicly announce its return rather than try to avoid detection, as we have seen in many other ransomware rebrands.

Helga Smith

Ενδιαφέρομαι πάντα για τις επιστήμες των υπολογιστών, ειδικά την ασφάλεια δεδομένων και το θέμα, που ονομάζεται σήμερα "επιστημονικά δεδομένα", από τα πρώτα μου χρόνια. Πριν μπείτε στην ομάδα κατάργησης ιών ως αρχισυντάκτης, Εργάστηκα ως ειδικός στον τομέα της ασφάλειας στον κυβερνοχώρο σε πολλές εταιρείες, συμπεριλαμβανομένου ενός από τους εργολάβους της Amazon. Μια άλλη εμπειρία: Έχω διδάξει σε πανεπιστήμια Arden και Reading.

Αφήστε μια απάντηση

Αυτό το site χρησιμοποιεί Akismet να μειώσει το spam. Μάθετε πώς γίνεται επεξεργασία των δεδομένων σας σχόλιο.

Κουμπί Επιστροφή στην κορυφή