The darkish net servers for the REvil ransomware operation have out of the blue turned again on after an nearly two-month absence. It’s unclear if this marks their ransomware gang’s return or the servers being turned on by legislation enforcement.
On July 2nd, the REvil ransomware gang, aka Sodinokibi, used a zero-day vulnerability within the Kaseya VSA distant administration software program to encrypt approximately 60 managed service providers (MSPs) and over 1,500 of their enterprise clients.
REvil then demanded $5 million from MSPs for a decryptor or $44,999 for every encrypted extension on the particular person companies.
The gang additionally demanded $70 million for a master decryption key to decrypt all Kaseya victims however quickly dropped the worth to $50 million.
After the assault, the ransomware gang confronted growing stress from legislation enforcement and the White Home, who warned that the USA would take motion themselves if Russia didn’t act upon risk actors of their borders.
Quickly after, the REvil ransomware gang disappeared, and all of their Tor servers and infrastructure had been shut down.
To this present day, it’s not clear what occurred, however it left ransomware victims who wished to barter unable to take action and with out the flexibility to revive information.
Mysteriously, Kaseya later received the master decryption key for the assault victims and said it was from a trusted third social gathering. It’s believed that Russian intelligence obtained the decryption key from the risk actors and handed it alongside to the FBI as a gesture of goodwill.
REvil infrastructure out of the blue turns again on
At the moment, each the Tor fee/negotiation website and REvil’s Tor ‘Comfortable Weblog’ knowledge leak website out of the blue got here again on-line.
Essentially the most present sufferer on the REvil knowledge leak website was added on July eighth, 2021, simply 5 days earlier than REvil’s mysterious disappearance.
In contrast to the information leak website, which is purposeful, the Tor negotiation website doesn’t look like absolutely operational but. Whereas it reveals the login display, as seen under, it doesn’t permit victims to log into the positioning.
The gang’s http://decoder.re/ continues to be offline right now.
It’s unclear right now whether or not the ransomware gang is again in operation, the servers have been turned again on by mistake, or it’s because of the actions of legislation enforcement.