Flash Report: New REvil Version Identified

ZeroFox Threat Intelligence researchers have observed updated samples indicating that REvil or someone close to the group has resumed operations. REvil—also sometimes referred to as Sodinokibi—is a ransomware family that first appeared in April 2019 and is thought to be a rebrand of the GandCrab ransomware. 

The group has been attributed to high-profile attacks, such as the ones against JBS Foods and Kaseya in 2021. Although several members of the group were arrested in January 2022, that does not appear to have deterred the remaining members. After halting all public activity in October 2021, REvil appears to have resumed operations in April 2022.

Key Findings

ZeroFox has observed multiple updates to REvil’s leak site since then, with five new victims appearing since the site came back online.In light of the resurgence of REvil and subsequent attacks, ZeroFox has assembled a Flash Report, which details the following key findings: 

• REvil joins a growing list of ransom families requiring predetermined command line arguments to function.
• REvil no longer refuses to run based on an infected systems’ language.
• An unused configuration element introduced previously is now populated with credentials.

Recommendations 

Based on key findings and threat intelligence analysis, ZeroFox recommends businesses take the following steps: 

• Ensure antivirus and intrusion detection software is up to date with all patches and rule sets.
• Enable two-factor authentication for all organizational accounts to help mitigate phishing and credential stuffing attacks.
• Maintain regularly scheduled backup routines, including off-site storage and integrity checks.
• Avoid opening unsolicited attachments and never click suspicious links.

To read additional analyst commentary and recommendations, download your copy of the Flash Report here. 

Please note that this information is current as of the intelligence collection conclusion at 2:00 PM EST on May 13, 2022.