REvil Attribution Update: BKA IDs 'UNKN' & 130 German Victims

Just caught the news regarding the BKA's breakthrough in identifying the key figures behind the REvil (Sodinokibi) operation. It’s fascinating to see the specific attribution to the alias 'UNKN,' who was the public face hawking the RaaS on XSS back in 2019.

While REvil technically went dark after law enforcement takedowns, this confirms that the hunt for the operators is far from over. With 130 German entities alone hit by this crew, the scope is massive. From a defensive perspective, it's a stark reminder that even if a group "disbands," the affiliates and the codebases often linger in the ecosystem. We know REvil was notorious for exploiting vulnerabilities like ProxyShell (CVE-2021-26855) and Zerologon (CVE-2020-1472) to gain initial access.

If you're hunting for legacy persistence or ensuring these vectors are closed, keep an eye out for the specific mutex patterns and registry keys associated with Sodinokibi variants. Here’s a quick snippet to scan for common persistence locations used by these older RaaS payloads:

# Legacy REvil Persistence Check
$regPaths = @(
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
)

foreach ($path in $regPaths) {
    Get-ItemProperty -Path $path -ErrorAction SilentlyContinue | 
    Where-Object { $_.PSObject.Properties.Name -match "update" -or $_.PSObject.Properties.Value -match "\.{3,}" } | 
    Select-Object PSPath, @{Name="SuspiciousValue"; Expression={$_.PSObject.Properties.Value}}
}

Attribution like this is great for intelligence, but does anyone feel it changes the operational reality for SOC teams? Are you still seeing REvil-like signatures in your traffic, or have the affiliates fully migrated to newer strains like LockBit or BlackCat?