REvil Tor sites have come back to life

By Anthony Spadafora
last updated

New leak site lists both past and new ransomware victims

Representational image of a cybercriminal
(Image credit: Pixabay)

The Tor (opens in new tab) sites of the infamous REvil (opens in new tab) ransomware group have suddenly come back online following months of inactivity.

While the group took down all of its websites (opens in new tab) and essentially shut down its operations back in September of 2021 before being dismantled by Russia’s FSB (opens in new tab) at the beginning of this year, its sites on Tor now redirect to a new ransomware (opens in new tab) operation that launched only recently.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab)

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.

At this time, it is still unclear as to who or which group is behind this new operation but the new leak site contains a lengthy list of past REvil victims as well as two new ones.

According to BleepingComputer (opens in new tab), security researchers pancak3 and Soufiane Tahiri recently spotted ads promoting the new REvil leak site on the Russian online hacking forum RuTOR. Despite the fact that the new site is hosted on a different domain (opens in new tab), it still leads to the original one REvil used during its heyday.

Who’s running the new leak site?

As cybercriminals have started employing a Ransomware-as-a-Service (opens in new tab) (RaaS) model, the new leak site (opens in new tab) explains that affiliates get an improved version of the REvil ransomware as well as a 80/20 split of all of the ransom payments collected.

When it comes to victims, the site features a 26-page list and while most of them are from previous attacks, the last two appear to be related to this new operation and one of which includes Oil India.

In November of last year when REvil’s data leak and payment sites were still under the control of the FBI, both sites showed a page with the title “REvil is bad” alongside a login form. Even though law enforcement seized the ransomware group’s sites, these redirects suggest that someone else has access to the Tor private keys that made it possible for them to make changes to the group’s .Onion site.

Read More

> Russia says it has dismantled the REvil ransomware gang (opens in new tab)

> Ransomware payments hit a new all-time high last year (opens in new tab)

> IT workers believe ransomware is as serious as terrorism (opens in new tab)

Users on a popular Russian-speaking hacking forum have begun discussing whether the new leak site is a scam, a honeypot (opens in new tab) set up by the authorities or a legitimate continuation of REvil’s prior business. To make matters more confusing, there are currently multiple ransomware operations that are using REvil’s encryptors or are outright impersonating the original group.

Once security researchers take a closer look at the new leak site, we may finally have some answers regarding whether or not the REvil ransomware group has magically come back from the dead.

Via BleepingComputer (opens in new tab)

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

See more Computing news