The Tor (opens in new tab) sites of the infamous REvil (opens in new tab) ransomware group have suddenly come back online following months of inactivity.
While the group took down all of its websites (opens in new tab) and essentially shut down its operations back in September of 2021 before being dismantled by Russia’s FSB (opens in new tab) at the beginning of this year, its sites on Tor now redirect to a new ransomware (opens in new tab) operation that launched only recently.
At this time, it is still unclear as to who or which group is behind this new operation but the new leak site contains a lengthy list of past REvil victims as well as two new ones.
According to BleepingComputer (opens in new tab), security researchers pancak3 and Soufiane Tahiri recently spotted ads promoting the new REvil leak site on the Russian online hacking forum RuTOR. Despite the fact that the new site is hosted on a different domain (opens in new tab), it still leads to the original one REvil used during its heyday.
Who’s running the new leak site?
As cybercriminals have started employing a Ransomware-as-a-Service (opens in new tab) (RaaS) model, the new leak site (opens in new tab) explains that affiliates get an improved version of the REvil ransomware as well as a 80/20 split of all of the ransom payments collected.
When it comes to victims, the site features a 26-page list and while most of them are from previous attacks, the last two appear to be related to this new operation and one of which includes Oil India.
In November of last year when REvil’s data leak and payment sites were still under the control of the FBI, both sites showed a page with the title “REvil is bad” alongside a login form. Even though law enforcement seized the ransomware group’s sites, these redirects suggest that someone else has access to the Tor private keys that made it possible for them to make changes to the group’s .Onion site.
> Russia says it has dismantled the REvil ransomware gang (opens in new tab)
> Ransomware payments hit a new all-time high last year (opens in new tab)
> IT workers believe ransomware is as serious as terrorism (opens in new tab)
Users on a popular Russian-speaking hacking forum have begun discussing whether the new leak site is a scam, a honeypot (opens in new tab) set up by the authorities or a legitimate continuation of REvil’s prior business. To make matters more confusing, there are currently multiple ransomware operations that are using REvil’s encryptors or are outright impersonating the original group.
Once security researchers take a closer look at the new leak site, we may finally have some answers regarding whether or not the REvil ransomware group has magically come back from the dead.
- Keep all of your devices virus free with the best malware removal software (opens in new tab)
Via BleepingComputer (opens in new tab)