The arrests of REvil members didn’t include coders, who are still at large, so it is plausible that the ransomware operation may have been revived. But they couldn’t have possibly fired up the original leak site without access keys, which were with law enforcement as of November 2021. Something is cooking, but it isn’t clear who the chef is.
Five months after law enforcement agencies seized the REvil ransomware gang’s infrastructure, three months after Russia’s FSB arrested 14 REvil members, and a month after a REvil member Yaroslav Vasinskyi’s extradition to and indictment in the U.S., the ransomware syndicate may have resurfaced on the dark web.
Researchers observed that REvil’s old leak site, where ransomware gangs leaked exfiltrated data upon non-payment of ransom, now redirects users to a new website. This new site contains the list of REvil victims, both old and some newer ones.
The new site has been active at least since mid-December, according to security researcher pancak3, who was able to record the redirect.
Looks like the redirect is back (for now). I was able to capture it for everyone. pic.twitter.com/k8smibQaWXOpens a new window
— pancak3 (@pancak3lullz) April 20, 2022Opens a new window
Meanwhile, the original REvil leak site, inactive for months, has suddenly come alive and is intermittently throwing back 404 errors. The redirect is also switching on and off.
pancak3 and Soufiane Tahiri observed that the new site is being promoted on RuTOR, a forum marketplace that caters to the Russian-speaking areas. This led both to speculate that the people behind the new website could be imposters.
REvil imposters/scammers?
Who uses RUTOR for ransomware adverts?
“The same proven (but improved) software†lol pic.twitter.com/RbEUbatYOLOpens a new window— pancak3 (@pancak3lullz) April 19, 2022Opens a new window
Tahiri opines that if these are REvil members resurfacing, they won’t use or reuse the name. This makes sense given REvil’s past misdeeds have earned them the ire of not just the West but also the Russian government, which ruthlessly apprehended 14 members and seized 426 million rubles ($5.6 million) in cash, cryptocurrency worth $600,000, and 20 luxury cars from the gang members.
REvil is a cybercriminal entity that gained notoriety among white and black hat communities. It carried out some high-profile attacks against Kaseya, Acer, Apple supplier Quanta, meat supplier JBS Foods, and Sol Oriens, a U.S. Department of Energy subcontractor for nuclear weapons consulting. So capitalizing on the name is not incomprehensible.
Louise Ferrett, threat intelligence analyst at Searchlight Security, told Toolbox, “While it’s currently not confirmed to be run by the same REvil team, and other actors have been seen using versions of the malware in months previous, but the fact that REvil’s former onion address redirects to this new leak site suggests at least some degree of connection to the original group.â€
The REvil arrests came when the U.S. was coordinating with Russia to curb cybercriminal activity emanating from Russia. On April 7, Russia’s deputy secretary of the security council, Oleg Khramov, said in an interview that the White House has unilaterally withdrawn from the cybersecurity working group, thus closing a channel of communication with the Kremlin.
Soon thereafter, the original REvil site became active. Ferret added, “Another possible contributor to the site’s re-emergence relates to Russian reports that the communication channels between Russia and the U.S. on cybersecurity issues had been closed just a fortnight ago, which is being inferred to mean that Moscow has allowed the once-arrested REvil gang to resume activities.â€
See More: On Alert: Combating Ever-evolving Ransomware with Resilience in 2022
At this point, it is unclear exactly who has the keys to the original site’s domain, which is different from the new one. In November 2021, there was credible proof that law enforcement had access to the original REvil site. It seems implausible that the threat actors got it back.
While pancak3 and Tahiri have reservations about whether it is indeed REvil members that have reemerged with the new site, it is a good time to ponder upon the following statement made by Vitaly Kremez, CEO of AdvIntel, in January, soon after the REvil arrests in Russia.
“The coders behind #REvil dev are unlikely affected by Russian arrests for ‘money control/laundering’. Based on our analysis, the arrests caught the REvil’ pentesters’,†Kremez saidOpens a new window . “We have confirmation and knowledge of many REvil hackers still working with the other groups such as Conti.â€
Yes. The arrests made by Russian authorities were for financial misdemeanors and not cyber crimes, that too not of developers, who are still at large.
But the access to the original site was with law enforcement, so why would they relinquish control now?
Prominent ransomware and other cybercriminal communities have been quiet so far about these developments. However, it isn’t a stretch to say that their opinion on the matter would be that this resurgence is a honeypot to nab the remaining members.
A conversation among security researchers Andrew Northern (Proofpoint), John Hammond (Huntress Labs), Tahiri (Cdiscount), and pancak3 indicates the same. They found that the original site now has missing links and images, the RSS feed shows data from only the first page, and that the site has links to corpleaks[.]com (Nefilim ransomware gang’s leak site).
But they couldn’t corroborate if this is similar to what the original site displayed previously.
However, the new site displays REvil’s previous victims and new ones, including Oil India, which is one of India’s largest hydrocarbon exporters, and signage services provider Visotec Group. Besides victims, the new site also reads recruitment notices which promise the “same proven (but improved) software,†payouts to wallets, and an 80/20 split of ransom proceeds.
“The advert for affiliates is also interesting: The dark web forum they have chosen to host their auto-guarantor form on, through which affiliates can apply, is not the typical choice for threat actors, or at least actors considered as ‘elite’ as REvil,†Ferrett concluded.
“This, coupled with the use of names associated with other ransomware gangs on the site, gives cause to be skeptical about this new group’s true identity and affiliation to the original team.â€
Is the REvil ransomware gang back? Maybe. Maybe not. Perhaps it’s an impostor. Or perhaps it’s a honeypot. No one really knows, not yet anyway. Stay tuned for more updates.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebooOpens a new window k. We would love to hear from you!
MORE ON RANSOMWARE
- Limiting the Threat of Ransomware with Closer Networking & Security Collaboration
- World Backup Day: Building a Tiered Backup Strategy for Ransomware Recovery
- RagnarLocker Ransomware Targeted 52 Critical Infrastructure Firms, But None in Russia
- LokiLocker Ransomware Can Wipe Device Data If a Ransom Demand Isn’t Met