The notorious REvil ransomware abruptly went underground after drawing unsolicited attention over Kaseya’s incident. It appeared that the threat actors had disappeared for good. However, REvil is now back online, actively posting about ransomware again.
REvil Ransomware Back Online
In July this year, the infamous ransomware gang REvil (aka Sodinokibi) amazed the security community with its sudden disappearance.
Initially, the ransomware gang’s leak site became inaccessible. Later, LockBit ransomware threat actors also hinted at a possible law enforcement activity against REvil.
Although it all remained speculations only, the persistent absence of REvil backed this idea of departure for months until the ransomware reappeared recently. According to Bleeping Computer, not only is the ransomware gang’s website back online, but REvil representatives have also become active on dark web forums.
Nonetheless, the new representative account indicates a possible new person. According to the posts from that account, the ransomware gang actually went offline after speculating a possible arrest of the previous representative “UNKN” (shortened for Unknown), aka 8800. (Below is a translation of their posts.)
As Unknown (aka 8800) disappeared, we (the coders) backed up and turned off all the servers. Thought that he was arrested. We tried to search, but to no avail. We waited – he did not show up and we restored everything from backups.
After UNKWN disappeared, the hoster informed us that the Clearnet servers were compromised and they deleted them at once. We shut down the main server with the keys right afterward.
Kaseya decryptor, which was allegedly leaked by the law enforcement, in fact, was leaked by one of our operators during the generation of the decryptor.
Alongside website restoration, the threat actors have also reset the timers for all victims, potentially resuming the work from where they left.
Nonetheless, this comeback debuts a new REvil ransomware variant that recently got uploaded on VirusTotal. This shows that the gang has started its activities again.
Hence now, the corporate sector is once again risked to this notorious ransomware, which businesses should remain wary of.