Security researchers say that the notorious ransomware REvil, also known as Sodinokibi, has returned after laying low for six months.
The Return of REvil/Sodinokibi Ransowmare Gang
According to Secureworks Counter Threat Unit (CTU) researchers, analysis of some recently uploaded to VirusTotal samples indicate that “the developer has access to REvil’s source code, reinforcing the likelihood that the threat group has reemerged.” The appearance of multiple samples with various modifications in such a short period of time most likely means that its operators are currently working on new versions.
Various notable changes have been incorporated to REvil’s source code in the samples the security firm analyzed, including updates to its string decryption logic, the configuration storage location, and the hard-coded public keys. The associated Tor domains displayed in the ransom note are also changed. Researchers suspect that the return of Sodinokibi/REvil is connected to the Russia-Ukraine events.
In September 2021, Bitdefender published a universal decryption tool to help REvil victims recover their encrypted files. The decrypter was developed with trusted law enforcement partners, according to the company’s statement. The decrypter only worked with files encrypted before July 13 the same year.
In July 2021, Kaseya, the company that got hit by a large-scale REvil ransomware attack, said it obtained the official decryption key, three weeks after the attack took place.