REvil is back - and wants to rebuild its reputation

Image of padlock against circuit board/cybersecurity background
(Image credit: Future)

An alleged representative of the notorious REvil ransomware gang has started engaging with members on the Russian-language Exploit cybercrime forum, sharing details about the group’s apparent re-emergence.

After being offline for a majority of two months, several of the dark-web servers belonging to REvil came back online recently.

REvil went offline after orchestrating the Kaseya attacks back in July, following which its properties on both the dark-web and normal web went offline. The disappearance led to speculation that the group could have been hit by law enforcement agencies, especially since the emergence of a universal decryptor key to help all victims unlock their machines. 

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> <a href="https://project.tolunastart.com/tqsruntime/main?surveyData=LFFFsT0HpgsyUe0tTFumBJohXK8Sedt0ARpsCF4DRGR+oCoVbvd+2+d8+UNIIx4L" data-link-merchant="project.tolunastart.com"" target="_blank">Click here to start the survey in a new window <<

However, the purported representative now claims the release of the universal key was an accident, which when discovered was forwarded to law enforcement agencies. 

“One of our coders misclicked and generated a universal key, and issued the universal decryptor key along with a bunch of keys for one machine,” wrote REvil’s new representative in the Russian-post translated by security researchers at Flashpoint.

Mending bridges?

Surprisingly though, the representative didn’t offer any explanation on the disappearance of the group. However, the post didn’t mention that the group was able to restore their operations from backup, which perhaps means that it was targeted in some kind of an offensive operation by the good guys. 

In any case, after being in the dark for several weeks, the group has started to restore its online properties. While the cybersecurity community is still skeptical of the group’s return, Flashpoint has seen at least one instance of the group trying to rebuild their reputation with former collaborators, who weren’t pleased with REvil’s sudden disappearance. 

According to Flashpoint, a threat actor on the forum, opened an arbitration case against the REvil spokesperson for unpaid dues from an earlier operation, but soon marked it as resolved, which perhaps indicates that REvil has cleared its dues. 

If there’s merit in REvil’s efforts to rebuild ties with old affiliates, it would nicely tie into the narrative of security vendor Exabeam’s chief security strategist, Steve Moore, who told us last week that the group took the downtime to regroup, and is all set to resume operations, with gusto.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.