The darkish net servers for the REvil ransomware operation has all of a sudden turned again on after an virtually two month absence. It’s unclear if this marks their ransomware gang’s return or the servers being turned on by regulation enforcement.
On July 2nd, the REvil ransomware gang, aka Sodinokibi, used a zero-day vulnerability within the Kaseya VSA distant administration software program to encrypt approximately 60 managed service providers (MSPs) and over 1,500 of their enterprise prospects.
REvil then demanded $5 million from MSPs for a decryptor or $44,999 for every encrypted extension on the particular person companies.
The gang additionally demanded $70 million for a master decryption key that will decrypt all Kaseya victims however quickly dropped the value to $50 million.
After the assault, the ransomware gang confronted rising strain from regulation enforcement and the White Home, who warned that if Russia didn’t act upon menace actors of their borders, the USA would take motion themselves.
Quickly after, the REvil ransomware gang disappeared and all of their Tor servers and infrastructure was shut down.
To this present day, it isn’t clear what occurred, nevertheless it left ransomware victims who wished to barter unable to take action and with out the power to revive recordsdata.
Mysteriously, Kaseya later received the master decryption key for the victims of their assault, and said it was from a trusted third-party. It’s believed that Russian intelligence acquired the decryption key from the menace actors and handed it alongside to the FBI as a gesture of goodwill.
REvil infrastructure all of a sudden turns again on
In the present day, each the Tor fee/negotiation web site and REvil’s Tor ‘Joyful Weblog’ knowledge leak web site all of a sudden got here again on-line.
Essentially the most present sufferer on the REvil knowledge leak web site was added on July eighth, 2021, simply 5 days previous to REvil’s mysterious disappearance.
In contrast to the information leak web site, which is useful, the Tor negotiation web site doesn’t look like absolutely operational but. Whereas it reveals the login display screen, as seen beneath, it isn’t permitting victims to login into the positioning at the moment.
The gang’s clear site http://decoder.re/ continues to be offline at the moment.
It’s unclear at the moment whether or not the ransomware gang is again in operation, the servers have been turned again on by mistake, or it’s because of the actions of regulation enforcement.