Evidence that members of the defunct REvil group may be reviving the ransomware gang continues to accumulate, but cybersecurity experts question whether the group will have the same impact that it once did.
On April 29, anti-malware firm Avast revealed that the company's software had blocked a ransomware sample that appeared to be generated using information that only previous members of the REvil group could have accessed. The discovery of the file came more than a week after cybersecurity firm Emsisoft revealed that the Web address of REvil's leak site now points to a new host, using both the REvil name and claiming to have compromised a US university and an oil company in India.
These two breadcrumbs suggest that someone (or someones) has access to the REvil group's source code and infrastructure and may be restarting the operation, says Brett Callow, threat analyst at Emsisoft. They don't, however, prove it's the old crew getting back together.
"These facts do not necessarily prove ... that the old REvil gang is back," he says. "Instead, they simply indicate that one or more people who were previously connected with the operation have decided to pick up the reins."
Either way, the apparent resurrection of the group highlights the difficulty that cybersecurity professionals, law enforcement, and prosecutors have in disrupting successful cybercriminal groups.
Following the critical attacks on meat processor JBS and IT management firm Kaseya in 2021, REvil shut down for a few months but reappeared in September. Then in January, Russian officials reportedly arrested 14 members of the group and raided more than two dozen locations, raising hopes that the takedown would last.
Instead, the group seems to have fragmented, with members working with other ransomware operations. Now some members may be making a half-hearted attempt to resurrect the REvil brand, but the tepid revival raises the question of what constitutes a group, as a couple of satellite members working together to re-create the ransomware gang's operation would not seem to pose an equal threat, Callow says.