Months after being shut down in a global law enforcement operation, the REvil ransomware has been confirmed to have returned following the discovery of a new ransomware encryptor by Avast researcher Jakub Kroustek, BleepingComputer reports.
Various security and malware experts noted the inclusion of new features in the new operation's source code-based REvil sample, with security researcher R3MRUM noting that while the sample had a revised version number, it was a continuation of the final version released prior to the dismantling of REvil.
"...[M]y assessment is that the threat actor has the source code. Not patched like "LV Ransomware" did," said R3MRUM.
Compilation of the new REvil sample from source code was also confirmed by Advanced Intel CEO Vitali Kremez, who reverse-engineered the sample.
Discovered by Kremez in the new sample was a new "accs" configuration field that details the credentials of particular victims. Such configuration option may be leveraged to curb encryption on devices without the named accounts and Windows domains. Modified SUB and PID options were also discovered in the sample.
Ukrainian hacktivist operation IT Army has taken responsibility for a significant distributed denial-of-service attack against Russian local airline booking system Leonardo, which is used by over 50 Russian carriers, according to The Record, a news site by cybersecurity firm Recorded Future.
New attacks with the updated SysUpdate toolkit have been deployed by Chinese advanced persistent threat operation Budworm, also known as APT27, Emissary Panda, Bronze Union, Lucky Mouse, Iron Tiger, and Red Phoenix, against an Asian government and a Middle East-based telecommunications provider, reports The Hacker News.
Forty-five malicious NPM and PyPI packages have been deployed by threat actors to facilitate extensive data theft operations as part of a campaign that commenced on Sept. 12, according to BleepingComputer.