REvil ransomware may be set to return

REvil ransomware may be set to return

Image:
REvil ransomware may be set to return

The ransomware group disappeared from the internet in July, abandoning forums and disconnecting its servers. Now, the infrastructure is back

Many of the dark-web servers belonging to the REvil ransomware group have resurfaced after being offline for about two months, sparking fears that the group is preparing for new attacks.

The REvil gang was responsible for some of the biggest ransomware attacks in the last 12 months, but disappeared very suddenly in July.

This week, security researchers took to social media to show that the group's Happy Blog data leak site and the Tor payment/negotiation portal had suddenly returned to the dark web.

Happy Blog hasn't been updated in the time it was down, still showing the same entries it had on 13th July.

REvil's payment portal, where victims could negotiate with the group's operatives, has also resurfaced, although it doesn't appear to be fully functional yet. The portal shows a login screen, but doesn't allow anyone to actually log in.

The gang's decoder[.]re domain is still offline.

On 2nd July, REvil gang used a zero-day bug in Kaseya's VSA remote management tool to encrypt about 60 managed service providers and over 1,500 of their small- and medium-sized business customers - a massive supply chain strike.

The Kaseya attack came less than a month after a summit between Presidents Biden and Putin in Geneva, where both leaders discussed the issue of cybersecurity in detail.

Biden asked Putin that Russia stop giving safe haven to ransomware groups launching attacks on American enterprises.

When REvil disappeared from the internet in July - abandoning forums, disconnecting its servers, and shutting down its dark web presence - experts suspected the Russian government had forced the group to cease operations, to show the world that it was working with the US government.

A report by Trustwave SpiderLabs in July claimed that the ransomware code used in the Kaseya attack was designed to avoid computer systems with default languages from the former USSR region.

About a week after REvil disappeared, Kaseya said that it had obtained a 'universal decryptor key' for the ransomware from a third party, and that it was providing the tool to all affected customers to help restore their environments.

Experts said that it was possible that the Russian government obtained the key directly from REvil's operators, and shared it with US agencies as a gesture of goodwill.

Commenting on REvil's alleged return, Chris Sedgwick, director of security operations at Talion, said: "Hacker groups disappearing when things heat up is something we have seen frequently in the past, with cases like Emotet or Anonymous. When groups do disappear, it is generally to buy some time and take the limelight off them from law enforcement agencies, and it rarely means they are disappearing for good.

"On the assumption that this is indeed the same threat group operating the infrastructure, we would expect to see a new ransomware variant from the group in the near future, but with a much more carefully selected victims to keep the media and Government attention off them as much as possible."