Evidence of the return of notorious ransomware gang REvil has appeared online, which a blog purporting to be from the group detailing two potential new victims, oil company Oil India and another Indian firm, signage maker Visotec Group. REvil was supposedly taken offline in January after many of its leading operatives were arrested in Russia, and experts are divided on whether this week’s developments mean the gang has truly returned.
Has REvil really returned?
REvil was perceived to be one of the most aggressive and prolific ransomware-as-a-service gangs active on the dark web in the past year. The cybercrime group, which has developed and deployed the Sodinokibi malware, has claimed credit for the supply chain attack on managed service provider Kaseya in July, which affected up to 1,500 businesses that worked with the company. The gang was also reportedly responsible for the attack on global meat supplier JBS, where it demanded an $11m ransom.
Russian security agency the FSB said it arrested some of the key operatives in the group during a sting operation in January, but the page on the dark web where REvil would post information about its victims has now been reactivated. Researchers spotted that the site, known as Happy Blog, has been updated, linking to another site that displays many of the gang’s victims, with at least two new names added.
One of them is Oil India, which suffered a ransomware attack on April 10 by an unnamed group which demanded $7.9m, and Visotec Group, which has not publicly disclosed whether it has been under attack. The blog states that Oil India is no longer in talks about paying the ransom, and the site features some of the company’s internal documents.
A recruitment page has also been added, promising hackers who want to join an 80/20 split on ransoms collected. The site also appears to be touting similar ransomware to that which was being used by the gang before it was taken down by the FSB.
Who is behind the REvil resurrection?
So far, it is unclear who is behind this apparent return of REvil, says Diana Selck-Paulsson, lead security researcher at Orange Cyberdefense. “It is not uncommon for today’s cyber extortion groups to disappear and re-emerge in other forms or rebrand,” she says. “It is interesting that the site is being re-used, with both old victims of REvil and new victims displayed there. One reason for this could be that someone is trying to use the REvil reputation or ‘brand’ without being connected to the original group.”
Another explanation could be that REvil’s blog is being used by the FSB as a trap to lure in other cybercriminals, says Chris Morgan, senior cyber threat intelligence analyst at security company Digital Shadows. “It is currently unclear whether the restart of infrastructure associated with REvil represents a genuine return to activity,” Morgan says. “Some have suggested that the return may have been facilitated by Russian law enforcement to entrap other members of REvil’s former operation, however as new victims and sensitive information has already been posted to the site, this appears less likely.”
Whether or not REvil’s return is genuine, its renewed presence will not be welcomed by the wider ransomware community, Morgan says. The January arrests mean the group will be viewed with suspicion. “This has been reflected by initial commentary from the cybercriminal community, who have expressed that they would be distrustful even if the return was coordinated by the original members of REvil’s operation,” he says.
The picture may become clearer in the coming weeks, Morgan says. “The return of REvil coincides with a glaring lack of a clarification on whether they are indeed back to business or part of a new operation,” he says. “If the return is legitimate, it is realistically possible that this clarification will be provided by the group in the coming weeks.”