The Tor sites of the infamous REvil ransomware group have suddenly come back online following months of inactivity.
While the group took down all of its websites and essentially shut down its operations back in September of 2021 before being dismantled by Russia’s FSB at the beginning of this year, its sites on Tor now redirect to a new ransomware operation that launched only recently.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.
At this time, it is still unclear as to who or which group is behind this new operation but the new leak site contains a lengthy list of past REvil victims as well as two new ones.
According to BleepingComputer, security researchers pancak3 and Soufiane Tahiri recently spotted ads promoting the new REvil leak site on the Russian online hacking forum RuTOR. Despite the fact that the new site is hosted on a different domain, it still leads to the original one REvil used during its heyday.
Who’s running the new leak site?
As cybercriminals have started employing a Ransomware-as-a-Service (RaaS) model, the new leak site explains that affiliates get an improved version of the REvil ransomware as well as a 80/20 split of all of the ransom payments collected.
When it comes to victims, the site features a 26-page list and while most of them are from previous attacks, the last two appear to be related to this new operation and one of which includes Oil India.
In November of last year when REvil’s data leak and payment sites were still under the control of the FBI, both sites showed a page with the title “REvil is bad” alongside a login form. Even though law enforcement seized the ransomware group’s sites, these redirects suggest that someone else has access to the Tor private keys that made it possible for them to make changes to the group’s .Onion site.
Users on a popular Russian-speaking hacking forum have begun discussing whether the new leak site is a scam, a honeypot set up by the authorities or a legitimate continuation of REvil’s prior business. To make matters more confusing, there are currently multiple ransomware operations that are using REvil’s encryptors or are outright impersonating the original group.
Once security researchers take a closer look at the new leak site, we may finally have some answers regarding whether or not the REvil ransomware group has magically come back from the dead.