New clues point to REvil ransomware gang's return

New ransomware samples are providing more evidence that the REvil crimeware group is out of hibernation.

Researchers with Secureworks' Counter Threat Unit said that they have attributed recently-discovered ransomware samples to Gold Southfield, a known threat group affiliated with REvil and other prominent ransomware as a service (RaaS) operations.

In a blog post published Monday, the researchers noted the Gold Southfield malware uses much of the same source code as older REvil samples and much of the same infrastructure to host and disclose its victims.

"Analysis of these samples indicates that the developer has access to REvil's source code, reinforcing the likelihood that the threat group has reemerged," the Secureworks researchers explained in the blog post. "The identification of multiple samples containing different modifications and the lack of an official new version indicate that REvil is under active development."

The revelation is the latest piece of evidence that the REvil ransomware group, or at least part of it, has relaunched after several months of hiatus following the arrests of some of its members by Russian police.

In late April, security researchers began to notice that some of the ransomware traffic associated with previous REvil attacks had resurfaced. These suspicions were further confirmed when the REvil ransomware crew's dark web site was relaunched.

The group's latest breach at natural resources company Oil India reportedly included a ransom demand of roughly $7.5 million.

As with most modern ransomware groups, REvil operates as a RaaS model where the actual job of infiltrating networks and planting the malware is subcontracted out to individual hackers who then receive a cut of the ransom payment. REvil, meanwhile, handles communications with the victim as well as collecting the payment and disclosing the breach should the victim not agree to part with their cash.

The RaaS model has proven itself to be highly lucrative for the group, as REvil and its members have hauled in millions of dollars in extortion and ransom payments. The success of the group lead in part to Russian police arresting a number of REvil members late last year.

Should REvil indeed be back, experts warn that ransomware incidents could potentially see a jump as one of the most the prolific operation returns. Secureworks noted that the Gold Southfield sample could be particularly nasty as it runs with the region checks disabled. This will allow the ransom to infect networks in regions like Eastern Europe, which many ransomware groups have typically avoided.