The operations behind REvil ransomware-as-a-service (RaaS) staged a surprise return after a two-month hiatus following the widely publicized attack on technology services provider Kaseya on July 4.

REvil’s comeback occurred in the form of a new version of its operation’s code, which was released on July 29. This variant contains the same obfuscated programming language that helps it prevent antivirus detection, but comes with minor functional alterations that help REvil evade common defenses in Windows machines.

According to data from the security researcher Kevin Beaumont, who maintains a liveblog specifically designed to track incidents of ransomware infection, the sample (detected as RANSOM_EVIL.A) was delivered through a malicious Office document attachment. The payload installs two Mimikatz tools and the REvil executable to the C: drive.

This new version was detected by five out of 54 anti-virus engines as of July 30 at 9:36 MSK, and has been seen in attacks that targeted Ukraine and Italy.

REvil’s return comes after 79 days since the last reported attack involving this malware family took place on June 13.

In March, when this malware family’s development was halted, Kaspersky Lab’s researchers released highly detailed information about the ransomware that secured a sample that had been delivered through a phishing email. In the blog post “REvil: A Redeemed RaaS,” Kaspersky warned customers about this new variant and warned them not to blindly trust any encrypted files they receive in email attachments. The company also warned users not to attempt to recover encrypted data using file-deleting tools or third-party software because doing so may result in the encryption being actually performed by REvil itself.

Several researchers and security professionals claimed that the REvil RaaS developers would return, and Kaspersky Lab’s report last month revealed that REvil’s creators did not heed their warnings. In a June blog post titled “Reverse-Engineering a REvil Master,” ESET explained its research into the malware family that states there was an “unintentional leak of information from [the] RaaS operators when they forgot to remove debug code from their software.

REvil, which was created with the C# language, has not been seen since June 13. The ransomware first emerged on February 22, when it infected the network of an unnamed healthcare institute. Then began its exploits at multiple organizations in Europe and South America, including universities and businesses that were attacked between March 14 and June 7. Kaspersky Lab’s estimate pinpoints 28 separate incidents during this period.

ESET last month published a technical breakdown of REvil’s coding structure using the open-source .NET Reflector tool to identify all of its components through static analysis. The software maker also discovered that REvil is programmed to delete itself if more than 50 encrypted files are created simultaneously by the same user account.

The ransomware also installs a variety of different tools, including Mimikatz, to perform tasks such as extracting Windows account credentials or dumping password hashes. The malware is designed to be operated via the TOR network to conceal the identity of its operators. It also triggers decryption if victims pay more than 2 BTC (roughly $2,500) within 7 days, at which point the victim receives a key file that is used to decrypt all encrypted files within 24 hours.

Kaspersky Lab reported that REvil’s creators had begun accepting both bitcoins and PayPal as payment options on June 13. However, it is unclear if they continue to accept new members following this offering.

REvil-as-a-service (RaaS) has become a hot topic in malware research in recent months. Companies that offer this kind of support are the targets of several costly attacks. After the attack on Kaseya, Symantec’s researchers speculated that naming REvil’s creators as operators could lead to their identity being uncovered by law enforcement.

The REvil-as-a-service (RaaS) developers were originally caught as part of an operation conducted by the U.S. Department of Justice’s Computer Enforcement and Crime Act (CEAC) task forces in cooperation with Europol, Interpol, and the FBI. The operation was launched after the agencies received intelligence that indicated that a group of criminals had been developing and then selling malware on dark web platforms, according to a report released by Europol last month.

Kaspersky Lab experts urge companies to train their employees on how to identify malware threats. They should also practice safe browsing habits by avoiding visiting malicious websites and clicking on unknown links or attachments.

Interested in reading more about REvil? Ransom of $11 Million Paid by JBS to Hackers discusses a ransomware attack recently that REvil undertook.

Liquid Video Technologies Logo, zero trust, Security, Video Surveillance, Greenville South Carolina, cybersecurity, REvil

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access ControlFire, IT consultant, or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.