The infamous REvil ransomware gang appears to have returned to business months after being taken offline and members getting arrested.
Researchers have spotted that the address used for REvil’s leak site has been redirected to a new site on the darknet, a shady part of the internet reachable with special software called a Tor browser. The new page includes previous REvil attacks and new attacks, including Oil India Ltd.
As was typical with previous REvil attacks, a blog post threatens to publish stolen data, including contracts, client information and messaging chats unless Oil India negotiates to pay a ransom. The Oil India attack was confirmed on April 13. Those behind the attack demanded a payment of 196 bitcoins ($ 7.9 million) to provide a decryptor key and a pledge not to publish the stolen data.
A “join us” page on the new site written in Russia explains how others can become affiliates of the gang with a promise of an 80/20 split on ransoms collected.
It’s not 100% certain that this is actually REvil reborn or another ransomware gang is using its name. Bleeping Computer reported Wednesday that some of the strings in the code for the new site point to other ransomware groups, including the Corp Links and TelsaCrypt gangs. There is also some speculation on Russian hacking forums as to whether this new operation is a scam, a honeypot or a legitimate continuation of the old REvil business.
If it is legitimately REvil reborn, companies should be concerned. REVil, also known as Sodinokibi, first appeared in May 2019 and was a prolific ransomware group linked to dozens of attacks. The best-known attack was on information technology management software from Kaseya Ltd. in July.
The attack was first detected at a Swiss supermarket chain, then spread to other Kaseya VSA users, with the total number of victims believed to be between 800 and 1,500. The size of the attack prompted the US government to warn it would take action against Russia if it was linked to the country.
Other REvil attacks include those targeting meat processing company JBS SA, Taiwanese manufacturer Quanta Computer Inc. and Travelex.
“While it is too early to tell where this stems from or what the implications are, there has been some movement on the REvil ransomware gang’s online onion website‘ Happy Blog, ’” John Hammond, senior security researcher at managed detection and response company Huntress Labs Inc., told SiliconANGLE. “Historically, this has been the ransomware gang’s leak site, where they publish data of their ransomware victims that had refused to pay the ransom, but for some time, the site had been offline and REvil seemed to have vanished from the internet. The ‘join us’ page suggests new work can be carried out with ‘the same proven (but improved) software,’ supporting that this could be a new rendition of REvil. ”