The operators of REvil ransomware group, one of the most devastating cybercriminal syndicates in recent history, have made a comeback after reportedly shutting down following the brazen Kaseya cyber event in July 4.
Cybersecurity analysts have since confirmed that the dark web servers for the ransomware operation have suddenly been switched back on after a two-month break. At this point, no one has a clear idea whether the ransomware gang is back in action, or the reappearance is a law enforcement action to gather evidence.
The latest events have elicited excitement across various cybersecurity circles, with an underground intelligence commentator and Recorded Future author sharing a screenshot of the now-operational REvil’s data leak site called Happy Blog via Twitter (See below).
Figure 1: Screenshot of a Twitter post showing an operational REvil Happy Blog web page (Source: Twitter)
In addition, the cyber news site Bleeping Computer reported that a new victim entry was made by REvil operators on July 8 following a recent cyberattack by the group. The new platform went on to intimate that the Tor negotiation website is also back online.
However, unlike the fully functional Happy Blog, REvil’s Tor negotiation site is reportedly not fully operational yet. Bleeping Computer discovered that while users can view the login screen, they cannot log in to the site for now.
While speaking to ZDNet, ransomware guru Allan Liska commented that REvil’s return was expected – although it was predictable that the ransomware group would make a comeback under a different business name and a new ransomware type.
The ransomware expert went on to associated the ransomware gang’s disappearance with their need to disappear from the law enforcement radar following their aggressive cyberattacks that had gotten the full attention of the world.
Importantly, Liska pointed out that REvil’s return whilst retaining their group name will prove to be a liability in the long term. Law enforcement agencies and cyber researchers will keep probing for information concerning the planned activities of its operators.
The Mysterious Hiatus
Believed to be domiciled in Russia, REvil has been connected to some of the biggest cyberattacks in 2021. Not too long ago, the ransomware gang breached America’s largest meat supplier JBS and extorted about $11 million from the firm.
The ransomware group would go on to orchestrate another hack against the global IT supplier Kaseya, demanding for a $70 million ransom in exchange for access to encrypted victim files.
Barely two weeks after the Kaseya breach, REvil’s web services disappeared from the internet under unclear circumstances.