The infamous REvil ransomware gang appears to have returned to business months after being taken offline and members being arrested.
Researchers have spotted that the TOR address used for REvil’s leak site has been redirected to a new darknet site. The new page includes previous REvil attacks and new attacks, including Oil India Ltd.
As was typical with previous REvil attacks, a blog post threatens to publish stolen data, including contracts, client information and messaging chats, unless Oil India negotiates to pay a ransom. That Oil India was attacked was confirmed on April 13. Those behind the attack demanded a payment of 196 bitcoins ($7.9 million) to provide a decryptor key and not publish the stolen data.
A join us page on the new site written in Russia explains how others can become affiliates of the gang with a promise of an 80/20 split on ransoms collected.
While looking like REvil and offering previous REvil records, it’s not 100% certain that this is REvil reborn or perhaps another ransomware gang is using its name. Bleeping Computer reports that some of the strings in the code for the new site point to other ransomware groups, including the Corp Links and TelsaCrypt gangs. There is also some speculation on Russian hacking forums as to whether this new operation is a scam, a honeypot or a legitimate continuation of the old REvil business.
If it is legitimately REvil reborn, companies should be concerned. REVil, also known as Sodinokibi, first appeared in May 2019 and was a prolific ransomware group linked to dozens of attacks. The best know of its attacks was on information technology management software from Kaseya Ltd. in July.
The attack was first detected at a Swiss supermarket chain, then spread to other Kaseya VSA users, with the total victims believed to be somewhere between 800 and 1,500. The size of the attack prompted the U.S. government to warn it would take action against Russia if it was linked to the country.
Other REvil attacks include those targeting meat processing company JBS S.A., Taiwanese manufacturer Quanta Computer Inc. and Travelex.
“While it is too early to tell where this stems from or what the implications are, there has been some movement on the REvil ransomware gang’s online onion website ‘Happy Blog,’” John Hammond, senior security researcher at managed detection and response company Huntress Labs Inc., told SiliconANGLE. “Historically, this has been the ransomware gang’s leak site, where they publish data of their ransomware victims that had refused to pay the ransom, but for some time, the site had been offline and REvil seemed to have vanished from the internet.”
“The ‘Join Us’ page suggests new work can be carried out with ‘the same proven (but improved) software,’ supporting this could be a new rendition of REvil,” Hammond explained.
“Again, it is too early to draw any strong conclusions, but pure speculation can certainly consider this a rebranding of REvil just after the US stops talking to Russia about taking down cybercriminals,” Hammond added.