{
	"id": "9a7cc391-4d83-476f-ae7e-ae1ed56d8909",
	"created_at": "2026-04-06T00:17:47.051359Z",
	"updated_at": "2026-04-10T03:20:20.015387Z",
	"deleted_at": null,
	"sha1_hash": "a6e4e7ebde5a53961d8abfc5d97a20191636cdd8",
	"title": "REvil ransomware returns: New malware sample confirms gang is back",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2188250,
	"plain_text": "REvil ransomware returns: New malware sample confirms gang is back\r\nBy Lawrence Abrams\r\nPublished: 2022-05-01 · Archived: 2026-04-05 21:20:00 UTC\r\nThe notorious REvil ransomware operation has returned amidst rising tensions between Russia and the USA, with new\r\ninfrastructure and a modified encryptor allowing for more targeted attacks.\r\nIn October, the REvil ransomware gang shut down after a law enforcement operation hijacked their Tor servers, followed\r\nby arrests of members by Russian law enforcement.\r\nHowever, after the invasion of Ukraine, Russia stated that the US had withdrawn from the negotiation process regarding the\r\nREvil gang and closed communications channels.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nREvil's Tor sites come back to life\r\nSoon after, the old REvil Tor infrastructure began operating again, but instead of showing the old websites, they redirected\r\nvisitors to URLs for a new unnamed ransomware operation.\r\nWhile these sites looked nothing like REvil's previous websites, the fact that the old infrastructure was redirecting to the new\r\nsites indicated that REvil was likely operating again. Furthermore, these new sites contained a mix of new victims and data\r\nstolen during previous REvil attacks.\r\nWhile these events strongly indicated that REvil rebranded as the new unnamed operation, the Tor sites had also previously\r\ndisplayed a message in November stating that \"REvil is bad.\" \r\nThis access to the Tor sites meant that other threat actors or law enforcement had access to REvil's TOR sites, so the\r\nwebsites themselves were not strong enough proof of the gang's return.\r\nREvil's tor sites are defaced with an anti-REvil message\r\nSource: BleepingComputer\r\nThe only way to know for sure whether REvil was back was to find a sample of the ransomware encryptor and analyze it to\r\ndetermine if it was patched or compiled from source code.\r\nA sample of the new ransomware operation's encryptor was finally discovered this week by AVAST research Jakub\r\nKroustek and has confirmed the new operation's ties to REvil.\r\nRansomware sample confirms return\r\nWhile a few ransomware operations are using REvil's encryptor, they all use patched executables rather than having direct\r\naccess to the gang's source code.\r\nHowever, BleepingComputer has been told by multiple security researchers and malware analysts that the discovered REvil\r\nsample used by the new operation is compiled from source code and includes new changes.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/\r\nPage 3 of 6\n\nSecurity researcher R3MRUM has tweeted that the REvil sample has had its version number changed to 1.0 but is a\r\ncontinuation of the last version, 2.08, released by REvil before they shut down.\r\nVersion change in new REvil encryptor\r\nIn discussion with BleepingComputer, the researcher said he could not explain why the encryptor doesn't encrypt files but\r\nbelieves it was compiled from source code.\r\n\"Yes, my assessment is that the threat actor has the source code. Not patched like \"LV Ransomware\" did,\" R3MRUM told\r\nBleepingComputer.\r\nAdvanced Intel CEO Vitali Kremez also reverse-engineered the REvil sample this weekend and has confirmed to\r\nBleepingComputer that it was compiled from source code on April 26th and was not patched.\r\nKremez told BleepingComputer that the new REvil sample includes a new configuration field, 'accs,' which contains\r\ncredentials for the specific victim that the attack is targeting.\r\nKremez believes that the 'accs' configuration option is used to prevent encryption on other devices that do not contain the\r\nspecified accounts and Windows domains, allowing for highly targeted attacks.\r\nIn addition to the 'accs' option, the new REvil sample's configuration has modified SUB and PID options, used as campaign\r\nand affiliate identifiers, to use longer GUID-type values, such as '3c852cc8-b7f1-436e-ba3b-c53b7fc6c0e4.'\r\nBleepingComputer also tested the ransomware sample, and while it did not encrypt, it did create the ransom note, which is\r\nidentical to REvil's old ransom notes.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/\r\nPage 4 of 6\n\nREvil ransom note\r\nFurthermore, while there are some differences between the old REvil sites and the rebranded operation, once a victim logs\r\ninto the site, it is almost identical to the originals, and the threat actors claim to be 'Sodinokibi,' as shown below.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/\r\nPage 5 of 6\n\nNew ransomware operation claiming to be Sodinokibi\r\nSource: BleepingComputer\r\nWhile the original public-facing REvil representative known as 'Unknown' is still missing, threat intelligence researcher\r\nFellowSecurity told BleepingComputer that one of REvil's original core developers, who was part of the old team,\r\nrelaunched the ransomware operation.\r\nAs this was a core developer, it would make sense that they also had access to the complete REvil source code and\r\npotentially the Tor private keys for the old sites.\r\nIt's not surprising that REvil has rebranded under the new operation, especially with the declining relations between USA\r\nand Russia.\r\nHowever, when ransomware operations rebrand, they typically do it to evade law enforcement or sanctions preventing the\r\npayment of ransoms.\r\nTherefore, it is unusual for REvil to be so public about their return, rather than trying to evade detection like we have seen in\r\nso many other ransomware rebrands.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/"
	],
	"report_names": [
		"revil-ransomware-returns-new-malware-sample-confirms-gang-is-back"
	],
	"threat_actors": [],
	"ts_created_at": 1775434667,
	"ts_updated_at": 1775791220,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a6e4e7ebde5a53961d8abfc5d97a20191636cdd8.pdf",
		"text": "https://archive.orkl.eu/a6e4e7ebde5a53961d8abfc5d97a20191636cdd8.txt",
		"img": "https://archive.orkl.eu/a6e4e7ebde5a53961d8abfc5d97a20191636cdd8.jpg"
	}
}