The REvil/Sodinokibi ransomware is once again undergoing active development, and its original operators are likely responsible, according to analysis conducted by the Secureworks Counter Threat Unit (CTU), which published its findings on 9 May 2022.
The CTU team analysed two samples of REvil submitted to VirusTotal, one towards the end of March, and one at the end of April. They say these samples clearly demonstrate the developer has access to REvil’s source code, which strongly implies that its operator – tracked as Gold Southfield by Secureworks – is definitively back in play.
Rob Pantazopoulos, senior consultant for information security research at Secureworks, told Computer Weekly the team was able to make this call with a considerable degree of confidence.
“Whoever is now operating REvil has access to the ransomware source code and parts of the old infrastructure used in support of it,” he said.
“It is possible that some or all of Gold Southfield members were released by the Russian authorities and that they have now returned to operations. It is equally plausible that not all members were arrested in the first place and have restarted the operation, with or without new members – or a trusted affiliate of Gold Southfield has taken over the operation with the blessing of the group. In fact, this is how the group started out themselves; the operators of Gandcrab, Gold Garden, retired and sold their operation to an affiliate group we now call Gold Southfield.”
Towards the end of April 2022, new intelligence suggested that both the REvil and Conti gangs were ramping up their operations – REvil having supposedly been taken off the board in a coordinated law enforcement sting, and Conti having been damaged by the leak of its secrets by a disgruntled affiliate.
In REvil’s case, somebody purporting to represent the group surfaced on 20 April, at which point REvil’s servers on the Tor network were found to be directing to an apparently new operation, suggesting a connection to still at-large gang members, or a new operator.
There was speculation at the time that given the war in Ukraine, the gang may have been given tacit permission to resume targeting victims by the Russian authorities, which were previously instrumental in its supposed downfall. Pantazopoulos suggested this was a distinct possibility.
“In our view, the Russian state attitude towards financially motivated cyber criminals is at best ambivalent and at worst complicit, so long as that criminality does not come into conflict with the interests of the Russian state,” he said.
“It seems implausible to us that there wouldn’t be some relationship between elements of the Russian state and law enforcement and some of these groups, but the extent of such relationships remains unclear.
“And despite the rhetoric and one or two positive actions, such as the arrests of some of the Gold Southfield members in early 2022, sustained Russian law enforcement disruption of the major cyber crime operations always seemed unlikely. After the invasion of Ukraine and the consequent Western response, Russia is even less incentivised to collaborate with Western law enforcement.”
Modifications
Secureworks said the March sample contains a number of modifications that distinguish it from REvil as it was in October 2021.
These include the update of string decryption logic to rely on a new command-line argument, which is possibly an attempt to prevent defenders or researchers detonating samples in a sandbox; an update to REvil’s hard-coded public keys; changes to how REvil tracks affiliate data; the removal of prohibited region checks, which presumably means REvil will now execute in Ukraine should it find itself there; and the inclusion of new Tor domains in the ransom note, which match to the new Tor domains found last month.
The April sample, which was initially highlighted by Avast’s Jakub Kroustek, contained nearly identical functionality, minus the string decryption changes, but also contained a bug that caused it not to encrypt the victim’s files but instead to rename them with a random extension – this appears to be a coding error on the developer’s part.
Secureworks stopped short of warning of imminent ransomware attacks by REvil. Pantazopoulos said: “It’s too early to say how REvil operations might develop over time. There are currently four victims posted to the leak site, and this rate falls short of its 2021 peak. However, there are numerous REvil samples with various modifications indicating active development, and we have observed attempts to recruit affiliates on underground forums, so it is entirely possible their levels of activity could increase quickly.”
Nevertheless, the firm is suggesting that at this time defenders use existing controls to review and restrict access to their networks. A full list of indicators and domains can be found in its blog post.