Chris Swagler | April 26th, 2022

Security researchers discovered a new REvil leak website being promoted on a forum marketplace, RuTOR, that focuses on Russian-speaking regions. After months of inactivity, the ransomware’s servers in the TOR are back up and redirecting to a new operation loaded with data of the group’s successful hacks. It’s unknown who’s behind the new REvil-connected operation; however, the new website contains a large catalog of victims from past REvil attacks with two new additions. An Indian state-run oil business and one of the largest entrants, Oil India announced a cybersecurity breach with threat actors demanding $75 million in ransom. Visotec Group was the other victim.

According to researchers, REvil’s former TOR payment domains are redirected to the new site, which is hosted on a different domain, but leads to the original site REvil used when active. The new website’s features include a recruiting page with information on the terms and conditions for affiliates, who were offered an enhanced REvil ransomware version and an 80/20 split if they collect a ransom. It’s evident that the individuals who established the redirect on REvil’s old website and payment link had access to the group’s old infrastructure, leading people to believe the ransomware operators are making a comeback. There is speculation as to whether the new operation is a hoax, a honeypot, or a legitimate continuation of the previous REvil operation.

Security researchers began noticing activity from a different ransomware group, Ransom Cartel, that was related to REvil’s encryptor weeks after 14 alleged group members were arrested in Russia. Researchers noticed that the current REvil-related leak site started to be populated with content. Another researcher noticed the source for the RRS feed displays the string Corp Leaks, which the now-defunct Nefilim ransomware group used. The blog and payments are running on different servers and the new ransomware operation’s blog drops a cookie called DEADBEF, a filemarker used by the TeslaCrypt ransomware group. Possible connections to a ransomware threat actor are yet to be determined as new REvil-based payload samples are being analyzed and no individual or affiliation has claimed responsibility for the new leak site.

REvil’s data leak and payment sites displayed a page called “REvil is bad” and a login form through TOR gateways and at the .Onion location while under the FBI’s control. The redirects mystery deepens as someone other than law enforcement had access to the TOR private keys allowing them to make changes for the .Onion site. Numerous ransomware operations are either using patched REvil encryptors or impersonating the original group.

REvil, known as Sodinokibi or Sodin, was one of the most notorious ransomware groups and was a continuation of the GrandCrab operation, which was the first to establish the ransomware-as-a-service (RaaS) model. Exploiting a zero-day bug in Kaseya’s VSA remote management tool, REvil encrypted about 60 managed service providers and over 1,500 of their small and midsized business customers in a massive supply chain strike. This eventually led to the group’s demise as global law enforcement intensified their collaboration to shut down the group. After the Kaseya incident, the group disappeared from the internet for two months not knowing the law enforcement agencies breached their servers, abandoning forums, disconnecting its servers, and shutting down its dark web presence. The dark web servers belonging to REvil resurfaced in September, restarting their operation from backups, which sparked fear that the group was preparing for new attacks.

REvil group was later hacked and taken offline in a coordinated operation involving law enforcement agencies from numerous countries. Cyber experts worked with United States intelligence agencies to breach REvil’s computer network infrastructure and control some of their servers, effectively shutting down the infrastructure used for criminal purposes.

With this recent information that REvil’s infrastructure is restarting, it’s critical for companies to always remain alert to the current threat landscape and ensure their data network security infrastructure is updated regularly. At SpearTip, our certified engineers specialize in incident response capabilities and handle data breaches with one of the fastest response times in the industry. Working at our 24/7/365 Security Operations Center, our engineers continuously monitor companies’ networks for potential ransomware threats. Our ShadowSpear Platform uses unparalleled data normalization and visualizations to detect sophisticated unknown and advanced threats. Additionally, it’s equipped with detection engines powered by artificial intelligence and attack techniques, protocols, and procedures (TTP) models to detect malicious activities.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.