REvil Ransomware gang’s ‘Return’ raises concern
Would Revil do the endless hit of the day? First disappeared in the middle of last summer before returning a few weeks later, the Revil gang was then knocked out by an international coalition. Before suffering a few weeks later a dragnet on its members last November. A blow – but not fatal – since the group has never really stopped. At the beginning of 2022, Russia’s desire to put a definitive end to the group’s activities seemed to have definitively sealed Revil’s fate. But the phoenix has apparently still been able to rise from its ashes..
A few days ago, security researchers pancak3 and Soufiane Tahiri indeed noticed that a new REvil leak site – Happy Blog – had been featured on RuTOR, a regionally oriented marketplace forum. Russian speakers. This site, although hosted on a different domain, links to the one REvil was using when it was active. Evidence of effective redirection has also been captured by security researchers. This site contains details of the malicious operators’ terms of affiliation to get an upgraded version of Revil and the payout distribution (80/20) of the ransom amounts paid or extorted. Interesting detail since this link contains information relating both to old attacks by the cybergang and to a much more recent one having targeted Oil India, moreover confirmed by the oil company. The latter had been asked for no less than 196 bitcoins, or nearly $ 8 million in ransom.
A resurrection since the beginning of April 2022
“While it’s too early to say where this came from or what the consequences are, there has been some unrest regarding the Revil ransomware cybergang’s Happy Blog website,” said John Hammond, senior security researcher. from Huntress Labs, a company specializing in managed incident detection and response. Historically this was a ransomware gang’s leak site, where they published the data of their victims who refused to pay the ransom, but for a while the site was offline and Revil seemed to have disappeared. of internet. The ‘Join Us’ page suggests that new work can be done with ‘the same tried and tested (but improved) software’, indicating that it could be a resurgence of Revil’.
The activity of this site has been recorded since April 5, 2022 and content added gradually in the following days. According to MalwareHunter Team, its RSS feed embeds a corpleaks.com link tag, used by the shut down cybergang Nefilim. This presence is all the more intriguing since the origin of this resurrection of the Revil leak site also reveals the existence this time of a cookie named DEADBEEF used by another group of cybercriminals, TesmaCrypt. And to make matters worse: While under the control of the FBI in November 2021, REvil’s data leak and payment sites displayed a page titled “REvil is bad” and a login form, initially via TOR gateways and .Onion location. The mystery of the redirects, both recent and last year, deepens, as it suggests that someone other than law enforcement has access to the TOR private keys that allowed them to bring changes to the .Onion site
An identity that raises questions
In cybersecurity, the attribution of cyberattacks is far from easy. But neither is the one relating to the identification of resurrected cybergangs… On a popular Russian-speaking hacker forum, users are speculating between an operation being a scam, a honeypot, or a legitimate continuation of the old Revil structure that lost his reputation and has a long way to go to get it back. There are several ransomware operators that use patched Revil encryptors or impersonate the original group.
Newer Articles
- Exhibition and Trade Shows Back with a Bang in a Post-Pandemic World
- How to convince venture capital funding for your startup?
- Tesla CEO Elon Musk may become the new owner of Twitter soon
