REvil ransomware gang may be back in town

Just when you thought it was a bit safer to go back in the waters of your business, a dreaded ransomware gang appears to have resurfaced. Following a two-month disappearing act in which its internet-faced servers went offline, the REvil ransomware group has popped up again. At least, two of its sites are back up.

SEE: Kaseya attack: How ransomware attacks are like startups and what we need to do about that (TechRepublic)

The group’s “Happy Blog” through which it happily publicized its criminal activity and leaked stolen data popped up on Tuesday, according to BleepingComputer. The latest victim found on the site was added on July 8, a few days before REvil went off the grid.

Also alive again is REvil’s Tor payment and negotiation site at which it would work with victims to grab payment for its ransom demands. But while the Happy Blog is functional, the negotiation site doesn’t seem to be fully working, BleepingComputer said. Though the login screen appears, people aren’t able to actually sign in.

Analysts and others have speculated as to the reason behind the sudden reappearance of these key sites. This could be a sign that the group itself is back in business and starting to reactivate its core sites. It could mean that former members of REvil are trying to reawaken under different groups and are collecting data from these sites. Another theory is that law enforcement officials have brought the sites back up as a way to check out the information.

“It is observed that cybercriminal groups will operate for a while and then separate, forming into other groups,” KnowBe4 security awareness advocate James McQuiggan told TechRepublic. “With this recent activity, it is most likely possible that they are collecting files, data, zero-days or other malware to use in their next group. The other hypothesis is law enforcement has gained access to forensically analyze the data. Either way, REvil is possibly out of commission; but like the ancient Greek story of the hydra, cut off one head, and three more grow in its place. The same could be occurring with this activity.”

Garnering a name for itself as a dangerous and destructive ransomware group, REvil was most recently responsible for a devastating attack against enterprise IT firm Kaseya. On July 3, Kaseya revealed an exploit used against its VSA product, a program used by Managed Service Providers (MSPs) to remotely monitor and administer IT services for customers. The supply chain nature of Kaseya’s business caused a ripple effect that encrypted data across more than 1,000 businesses.

Gladly taking credit for the attack, REvil threw out an interesting offer. In exchange for $70 million worth of bitcoin, the group would publish a universal decryptor that would allow all infected companies to recover their files. Shortly afterward, Kaseya obtained a universal decryptor key, though the firm said it got the key from a trusted third party.

Not long after, REvil’s online sites went offline. At the time, some analysts and experts speculated that the group was laying low after its attack against Kaseya. Others said that the group may have disbanded, with its members likely to resurface elsewhere. And some thought the U.S. government or other official entities might have cut the group’s online cord, forcing its sites to shut down.

Another theory is that Russia itself intervened. REvil is a Russia-based group reportedly linked to the Russian government or at least operating with its tacit permission. U.S. President Joe Biden spoke with Russian President Vladmir Putin after the attack, as noted by ZDNet. In that conversation, Biden may have pressured Putin to do more about ransomware, perhaps prompting the Russian president to force REvil to lay low or even disband.

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays

Sign up today

Also see