Who's Behind Attempt to Reboot REvil Ransomware Operation?Researchers Suspect Former REvil Developer of Restarting Server, Data Leak Site
Has the notorious REvil, aka Sodinokibi, ransomware operation come back? Researchers suspect former developers may have restarted the server and data leak site. On Wednesday, the original Happy Blog leak site began redirecting to the new blog, which lists both old and seemingly new victims, including Oil India Limited.
Also on Wednesday, multiple cybersecurity researchers on Twitter attributed a recent ransomware attack at Oil India Limited to either REvil or imposters using the gang's name.
After successfully locking Oil India, the #ransomware group trying to impersonate REvil (or maybe REvil ?!) added a new victim to their blog:Visotec Group.— Soufiane Tahiri (@S0ufi4n3) April 20, 2022
I'll be calling them useransom.187201 until an "official" name is given to them.@ValeryMarchive @SOSIntel @ransomwaremap pic.twitter.com/6HMvQ8522j
Earlier this month, at the government-owned Oil India Limited's registered headquarters in Duliajan in Assam's Dibrugarh district, a cyberattack was reported, which led to the company shutting down all its computers and IT systems.
A spokesperson for Oil India Limited, a state-owned enterprise of the Government of India under the administrative control of the Ministry of Petroleum and Natural Gas, was not available to comment.
REvil Is Back
Soufiane Tahiri, a France-based independent cybersecurity researcher, tells Information Security Media Group that after his initial tweets about the REvil activities, the situation evolved and more hints began to point toward the attackers being REvil itself and not a spoof.
"The very first thing that made me and some other analysts think it's a group impersonating REvil is the fact that the REvil members have been dismantled recently; their blog went off and we didn't hear from them since then," Tahiri says (see: REvil's Infrastructure Goes Offline).
An unnamed source at Oil India shared a screenshot with Tahiri from an infected device that had the exact same ransom note as the one used historically by the notorious REvil group.
In addition, the file extensions of encrypted files are random, like those used by REvil, which also made the source think the attacker was a copycat group, Tahiri says.
REvil Blog Resurfaces
Tahiri says he considered it possible that the hackers had obtained REvil code and given it a slight tweak, "until yesterday [April 20], when the original blog of REvil started to redirect to the new one. This means at least one thing: Someone has access to the original server, and this same one is the one behind the attacks, with absolutely no doubt."
Tahiri describes himself as one of "a few threat hunters who think that the main former developer is trying to revive REvil with new members." He says this is still speculation and as far as he knows, someone might be using the same REvil ransom note, extension scheme, and look and feel of the previous REvil Happy Blog. But most importantly, he says, this person has access to the actual old REvil server which, as of Wednesday, has started to redirect to the new blog.
New Advertiser on the Block
The new blog's use of RuTOR, which is a Russian forum marketplace, is generally not used for ransomware-type activity.
Louise Ferrett, threat intelligence analyst at Searchlight Security, says: "The advert for affiliates is also interesting: The dark web forum they have chosen to host their auto-guarantor form on, through which affiliates can apply, is not the typical choice for threat actors, or at least actors considered as 'elite' as REvil. This, coupled with the use of names associated with other ransomware gangs on the site, gives cause to be skeptical about this new group's true identity and affiliation to the original team. We're monitoring the situation closely."
US-Russia Cybersecurity Issues
On March 21, U.S. President Joe Biden said: "Today, my administration is reiterating those [previous] warnings based on evolving intelligence that the Russian government is exploring options for potential cyberattacks. ... My administration will continue to use every tool to deter, disrupt, and if necessary, respond to cyberattacks against critical infrastructure. ... [And] we need everyone to do their part to meet one of the defining threats of our time" (see: As Russia Invades Ukraine, Cyber Escalation Threat Looms).
Ferrett says that a possible reason for the site's reemergence relates to Russian reports that the communication channels between Russia and the U.S. on cybersecurity issues had been closed just a fortnight ago, which is being inferred to mean that Moscow has allowed the once-arrested REvil gang to resume activities.
Ferrett also says that it's currently not confirmed that the blog is run by the same REvil team, and other actors have been seen using versions of the malware in previous months. But the fact that REvil's former onion address redirects to this new leak site suggests at least some degree of connection to the original group.
Sam Curry, chief security officer at Cybereason, says that the speedy takedown of REvil in January took the world by surprise. It appeared that Russia had been playing nicely with the world order and that a rapprochement with the West - and with the Biden administration, specifically - was a real possibility.
"A month later, with the invasion of Ukraine and then the nationalization of ransomware cartels like the Conti group, the perspective changed. Now, if the reports are to be believed, the return of REvil to the cyber world begs the question: Is this the return of the 'suicide squad' for another mission, or was it law enforcement theater all along? " Curry says.
"The redirect could only have been set up by somebody with access to REvil's servers - and that list could include law enforcement, unknown third parties and, of course, members of REvil," says Brett Callow, threat analyst at Emsisoft.
Russian government involvement is also a possibility. Prior to the apparent reemergence of REvil, Natalia Tkachuk, head of the Information Security and Cybersecurity Service, which is part of the National Security and Defense Council of Ukraine, suggested in an interview with Recorded Future's The Record that the earlier Russian arrest of REvil participants was likely part of a special operation aimed either at hiding criminals from Western law enforcement agencies "or at directing them to work for the government. It is possible that some representatives of these detained groups are already involved in the planning and execution of cyberattacks on Ukrainian infrastructure."