- Joined
- May 15, 2016
- Messages
- 13,738
- Likes
- 2,643
- Points
- 1,730
The group has already carried out several attacks after the arrest of the members.
On January 14, 2022, during a special operation by the FSB and the Russian Ministry of Internal Affairs, at the request of the US authorities, investigative actions were carried out at 25 addresses in Moscow, St. Petersburg, Moscow, Leningrad and Lipetsk regions. 14 members of the group were identified. 426 million rubles, €500 thousand, $600 thousand, 20 premium cars were confiscated from hackers. However, 3 weeks ago, researchers discovered the activity of servers and the REvil blog in the TOR network.
“The potential return of REvil coincides with the conclusion of discussions on cybersecurity issues between the US and Russia. It is possible that the Russian authorities stopped investigating the group or otherwise indicated to REvil members that they could resume their activities following the arrest of several members in January 2022,” said Chris Morgan, Digital Shadows Senior Cyber Threat Intelligence Analyst.
“Who exactly is coordinating the return of REvil is unclear. Perhaps one of the former members of REvil, or someone with access to the source code and infrastructure of the group, contributed to the revival,” Morgan added.
Since the group's return, researchers have located several victims of the REvil ransomware attack. According to cybersecurity expert Allan Lisk, the new attacks don't seem to be as clever as previous REvil attacks.
According to the expert, the return may be due to the fact that former members use the source code of the REvil malware or the organizers of the group themselves are conducting operations after a long break in work. According to a statement by Emsisoft Threat Analyst Brett Callow, several affected organizations have been removed from the REvil site, which means some companies have resumed data ransom.
"Time will tell if REvil is truly back or if the group's current activities are being run by an impostor looking to take advantage of the team's reputation," said analyst Chris Morgan.
The Secureworks Counter Threat Unit on Monday published a detailed analysis of the new version of the REvil software and indicated that the specialist behind the team's return has access to the source code and is actively developing ransomware. The new software sample has several notable features, including changes to the string decryption logic and embedded credentials that link the sample to a victim posted on the REvil leak site in April.
“Whoever runs REvil now has access to the ransomware source code and parts of the old infrastructure to support the software. Perhaps some or all of the GOLD SOUTHFIELD members have been released by the Russian authorities and are now back to work. Maybe not all members were arrested and resumed the operation on their own or with new members. Perhaps a trusted affiliate of GOLD SOUTHFIELD has taken control of the operation with the permission of the group. This is how the group GOLD SOUTHFIELD itself began. The operators of Gandcrab, GOLD GARDEN have retired and sold their operations to an affiliated group called GOLD SOUTHFIELD,” Secureworks said.
As additional samples are analyzed and modifications are compared, experts can identify the software developer based on the changes made and the coding style. Secureworks' Threat Squad is aware of six victims, with four posted to the REvil leak site and two victims identified using sample configurations.
source: secureworks.com/blog/revil-development-adds-confidence-about-gold-southfield-reemergence
On January 14, 2022, during a special operation by the FSB and the Russian Ministry of Internal Affairs, at the request of the US authorities, investigative actions were carried out at 25 addresses in Moscow, St. Petersburg, Moscow, Leningrad and Lipetsk regions. 14 members of the group were identified. 426 million rubles, €500 thousand, $600 thousand, 20 premium cars were confiscated from hackers. However, 3 weeks ago, researchers discovered the activity of servers and the REvil blog in the TOR network.
“The potential return of REvil coincides with the conclusion of discussions on cybersecurity issues between the US and Russia. It is possible that the Russian authorities stopped investigating the group or otherwise indicated to REvil members that they could resume their activities following the arrest of several members in January 2022,” said Chris Morgan, Digital Shadows Senior Cyber Threat Intelligence Analyst.
“Who exactly is coordinating the return of REvil is unclear. Perhaps one of the former members of REvil, or someone with access to the source code and infrastructure of the group, contributed to the revival,” Morgan added.
Since the group's return, researchers have located several victims of the REvil ransomware attack. According to cybersecurity expert Allan Lisk, the new attacks don't seem to be as clever as previous REvil attacks.
According to the expert, the return may be due to the fact that former members use the source code of the REvil malware or the organizers of the group themselves are conducting operations after a long break in work. According to a statement by Emsisoft Threat Analyst Brett Callow, several affected organizations have been removed from the REvil site, which means some companies have resumed data ransom.
"Time will tell if REvil is truly back or if the group's current activities are being run by an impostor looking to take advantage of the team's reputation," said analyst Chris Morgan.
The Secureworks Counter Threat Unit on Monday published a detailed analysis of the new version of the REvil software and indicated that the specialist behind the team's return has access to the source code and is actively developing ransomware. The new software sample has several notable features, including changes to the string decryption logic and embedded credentials that link the sample to a victim posted on the REvil leak site in April.
“Whoever runs REvil now has access to the ransomware source code and parts of the old infrastructure to support the software. Perhaps some or all of the GOLD SOUTHFIELD members have been released by the Russian authorities and are now back to work. Maybe not all members were arrested and resumed the operation on their own or with new members. Perhaps a trusted affiliate of GOLD SOUTHFIELD has taken control of the operation with the permission of the group. This is how the group GOLD SOUTHFIELD itself began. The operators of Gandcrab, GOLD GARDEN have retired and sold their operations to an affiliated group called GOLD SOUTHFIELD,” Secureworks said.
As additional samples are analyzed and modifications are compared, experts can identify the software developer based on the changes made and the coding style. Secureworks' Threat Squad is aware of six victims, with four posted to the REvil leak site and two victims identified using sample configurations.
source: secureworks.com/blog/revil-development-adds-confidence-about-gold-southfield-reemergence