The infamous REvil ransomware gang seems to be back in business
The infamous REvil ransomware gang appears to be back in business months after being taken offline and members arrested.
Researchers have spotted that the address used for the REvil leak site has been redirected to a new site on the darknet, a shady part of the internet accessible with special software called a Tor browser. The new page includes previous REvil attacks and new attacks including Oil India Ltd.
As was typically the case with previous REvil attacks, a blog post threatens to release stolen data, including contracts, customer information and email chats, unless Oil India negotiates to pay a ransom. The Oil India attack was confirmed on April 13. Those responsible for the attack demanded payment of 196 bitcoins ($7.9 million) to provide a decryption key and pledge not to publish the stolen data.
A “join us” page on the new site written in Russia explains how others can become affiliated with the gang with the promise of an 80/20 split on the ransoms collected.
It’s not 100% certain if this is actually REvil’s rebirth or if another ransomware gang is using its name. Bleeping Computer reported Wednesday that some of the strings in the new site’s code point to other ransomware groups, including the Corp Links and TelsaCrypt gangs. There is also speculation on Russian hacking forums as to whether this new operation is a scam, a honeypot or a legitimate continuation of the old REvil company.
If it is legitimate for REvil to be reborn, companies should be concerned. REVil, also known as Sodinokibi, first emerged in May 2019 and was a prolific ransomware group linked to dozens of attacks. The most well-known attack was that of Kaseya Ltd.’s information technology management software. in July.
The attack was first detected in a Swiss supermarket chain and then spread to other Kaseya VSA users, with the total number of victims estimated at between 800 and 1,500. prompted the US government to warn that it would take action against Russia if it was tied to the country.
Other REvil attacks include those targeting meat processing company JBS SA, Taiwanese manufacturer Quanta Computer Inc., and Travelex.
“While it’s too early to say where this came from or what the implications are, there has been some movement on the online onion website of the REvil ransomware gang ‘Happy Blog'”, John Hammond , senior security researcher at managed detection and response company Huntress Labs Inc., told SiliconANGLE. “Historically this was the ransomware gang’s leak site, where they published the data of their ransomware victims who refused to pay the ransom, but for a while the site was offline and REvil seemed to have disappeared The “Join Us” page suggests that new work can be done with “the same proven (but improved) software”, indicating that it could be a new version of REvil.