As New Clues Emerges, Experts Wonder: Is REvil Back?

As New Clues Emerges, Experts Wonder: Is REvil Back?

Change is a part of life, and nothing stays the same for too long, even with hacking groups, which are at their most dangerous when working in complete silence. The notorious REvil ransomware gang, linked to the infamous JBS and Kaseya, has resurfaced three months after the arrest of its members in Russia.

The Russian domestic intelligence service, the FSB, had caught 14 people from the gang. In this apprehension, the 14 members of the gang were found in possession of 426 million roubles, $600,000, 500,000 euros, computer equipment, and 20 luxury cars were brought to justice.

REvil Ransomware Gang- The Context

The financially-motivated cybercriminal threat group Gold Southfield controlled ransomware group known as REvil emerged in 2019 and spread like wildfire after extorting $11 million from the meat-processor JBS.

REvil would incentivize its affiliates to carry out cyberattacks for them by giving a percentage of the ransom pay-outs to those who help with infiltration activities on targeted computers.

In July 2021, hackers working under REvil exploited zero-day vulnerabilities in Managed Service Provider (MSP)service developed by a company called Kaseya. As is often the case, these vulnerabilities had not been patched and were therefore open for exploitation. The code change was deployed globally against over 30 MSPs worldwide and 1,000 business networks managed by those MSPs.

The hackers rented their ransomware to other cyber criminals so that a similar attack could occur and disrupt the activities of others. It’s been reported how sustained ransomware attacks were conducted revealed that most hacking groups utilize Ransomware-as-service by renting out their services to other users (who often have easy access to the victim’s systems, networks, and other personal information). The famous Colonial Pipeline, the oil pipeline company, operating in the United States, was attacked by REvil as part of a Ransomware service.

In October 2021, a multi-country law enforcement operation seized control of REvil’s main ransomware-related resources and dismantled the darknet campaign that was being conducted on anonymous ToR servers.

But thanks to the U.S.-Russian collaboration, the REvil gang was dismantled, and the group itself was hacked. The crime group’s “Happy Blog” website, used to leak victim data and extort companies and provide an avenue for commending members involved in successful attacks, was forced offline.

ReVil Making a Comeback

Cybersecurity researchers have put forward samples of REvil ransomware. Their findings, based on the findings of samples which all showed identical creation dates and compilation strings along with several other attributes, which mean the same person/team probably makes it – strengthens their argument that they have indeed identified the original REvil ransomware developer and should logically, therefore, conclude that the self-exiled cybercriminal group known as REvil has returned. Recently, the latest Ransomware leak site was promoted through the Russian forum RuTOR – a website that allegedly markets leaked data to customers.

As Per Vines, REvil’s Tor Sites Have Come Back to Life.

In late April of this year, security researchers noticed some malware found in previous

attacks had resumed activity after a long period of quiet. Two researchers who are into the dark side of cybersecurity recently uncovered a blog on the dark web that is used to publish ransomware attacks, and it was enticing others to take part in this dangerous trend. They also came across news that attackers have taken it upon themselves to recruit more ghost hackers.

Ransomware sample confirms the return:

The latest sample has made use of longer GUID-type values, such as

3c852cc8-b7f1-436e-ba3b-c53b7fc6c0e4 for the SUB and PID options to track campaign and affiliate identities, respectively.

Is REvil Back? – How Can You Fight Back?

REvil is known for being particularly destructive ransomware, and its return means that businesses and individuals need to be on high alert for possible attacks. It is too early to tell if the REvil ransomware gang’s comeback will be as effective as its predecessor. Read more:

You can also read this: DragonForce Malaysia Releases LPE Exploit, Threatens Ransomware

Leave a Reply

Your email address will not be published. Required fields are marked *