An alleged representative of the notorious REvil ransomware (opens in new tab) gang has started engaging with members on the Russian-language Exploit cybercrime forum, sharing details about the group’s apparent re-emergence.
After being offline for a majority of two months, several of the dark-web servers belonging to REvil came back online recently.
REvil went offline after orchestrating the Kaseya attacks (opens in new tab) back in July, following which its properties on both the dark-web and normal web went offline (opens in new tab). The disappearance led to speculation that the group could have been hit by law enforcement agencies, especially since the emergence of a universal decryptor key to help all victims unlock their machines.
- We’ve also compiled a list of the best ransomware protection tools (opens in new tab)
- These are the best malware removal (opens in new tab) software on the market
- Check our list of the best firewall apps and services (opens in new tab)
However, the purported representative now claims the release of the universal key was an accident, which when discovered was forwarded to law enforcement agencies.
“One of our coders misclicked and generated a universal key, and issued the universal decryptor key along with a bunch of keys for one machine,” wrote REvil’s new representative in the Russian-post translated (opens in new tab) by security researchers at Flashpoint.
Mending bridges?
Surprisingly though, the representative didn’t offer any explanation on the disappearance of the group. However, the post didn’t mention that the group was able to restore their operations from backup, which perhaps means that it was targeted in some kind of an offensive operation by the good guys.
In any case, after being in the dark for several weeks, the group has started to restore its online properties. While the cybersecurity (opens in new tab) community is still skeptical of the group’s return, Flashpoint has seen at least one instance of the group trying to rebuild their reputation with former collaborators, who weren’t pleased with REvil’s sudden disappearance.
According to Flashpoint, a threat actor on the forum, opened an arbitration case against the REvil spokesperson for unpaid dues from an earlier operation, but soon marked it as resolved, which perhaps indicates that REvil has cleared its dues.
If there’s merit in REvil’s efforts to rebuild ties with old affiliates, it would nicely tie into the narrative of security vendor Exabeam’s chief security strategist, Steve Moore, who told us last week that the group took the downtime to regroup, and is all set to resume operations, with gusto.
- Protect your devices with these best antivirus software (opens in new tab)