Months after being shut down in a global law enforcement operation, the REvil ransomware has been confirmed to have returned following the discovery of a new ransomware encryptor by Avast researcher Jakub Kroustek, BleepingComputer reports.
Various security and malware experts noted the inclusion of new features in the new operation's source code-based REvil sample, with security researcher R3MRUM noting that while the sample had a revised version number, it was a continuation of the final version released prior to the dismantling of REvil.
"...[M]y assessment is that the threat actor has the source code. Not patched like "LV Ransomware" did," said R3MRUM.
Compilation of the new REvil sample from source code was also confirmed by Advanced Intel CEO Vitali Kremez, who reverse-engineered the sample.
Discovered by Kremez in the new sample was a new "accs" configuration field that details the credentials of particular victims. Such configuration option may be leveraged to curb encryption on devices without the named accounts and Windows domains. Modified SUB and PID options were also discovered in the sample.
Cybercrime group Asylum Ambuscade, which has targeted over 4,500 victims around the world since January 2022, has expanded its operations to include cyberespionage attacks targeted at European and Central Asian governments after mostly targeting North American banks, businesses, and cryptocurrency firms, reports The Record, a news site by cybersecurity firm Recorded Future.
North Korean state-sponsored threat operation Lazarus Group has been linked "with a high level of confidence" to the theft of $35 million from Atomic Wallet earlier last week following the discovery of similar techniques leveraged in the latest intrusion and the hacking group's earlier attacks, reports The Record, a news site by cybersecurity firm Recorded Future.