1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • REvil ransomware is officially back, experts claim

    From TechnologyDaily@1337:1/100 to All on Thu May 12 12:30:04 2022
    REvil ransomware is officially back, experts claim

    Date:
    Thu, 12 May 2022 11:11:20 +0000

    Description:
    This time REvil won't spare Russian-speaking targets, it seems.

    FULL STORY ======================================================================

    Fresh evidencehas emerged that the notorious REvil ransomware is back with a vengeance, as newly discovered samples point to the fact that the group is
    now indiscriminate in the choice of its targets.

    Cybersecurity researchers from Secureworks analyzed new malware samples recently uploaded to VirusTotal and came to the conclusion that whoever was behind it probably had access to REvils source code in the past.

    That led the researchers to believe that this is probably the same group
    whose operations were shut down late in 2021.

    Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 . Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/10.99. Nothing is off limits any more

    "The identification of multiple samples containing different modifications
    and the lack of an official new version indicate that REvil is under active development," the researchers said in a blog post announcing the news.

    A new REvil leak site was recently sprung up. This newest sample, as well as an older sample, discovered in October last year, all point to REvil being active again.

    In these new versions, researchers spotted upgrades in the string decryption logic, making it rely on a new command-line argument. Hard-coded public keys have been updated, as well as configuration storage location and the data format for affiliate tracking.

    But perhaps the biggest change is the removal of off-limits regions. Older versions of REvil would check the geographical location of the infected endpoint, and if it met certain criteria (for example, if it was in a Russian-speaking community), would not activate.

    This is no longer the case.

    "The October 2021 REvil sample removed code that verified the ransomware was not executing on a system that resided within a prohibited region," the CTU researchers wrote. "This removal enabled REvil to execute on any system regardless of its location." Read more

    REvil Tor sites have come back to life


    REvil is back - and wants to rebuild its reputation


    REvil ransomware group is back with a vengeance

    REvil was initially shut down after a joint US-Russia operation, with the Russians arresting more than a dozen members.

    As Russias invasion of Ukraine soured relations between it and the US, the US government went ahead and unilaterally shut down the communication channel it had on cybersecurity with Moscow. As a result, the US has also withdrawn itself from the negotiation process regarding REvil.

    Prior to Secureworks analysis, other cybersecurity firms warned of REvils resurgence, including Avast, Advanced Intel, R3MRUM, and others. Protect your digital property from threat actors with the best firewalls around

    Via: The Register



    ======================================================================
    Link to news story: https://www.techradar.com/news/revil-ransomware-is-officially-back-experts-cla im/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)