The operators behind the REvil ransomware-as-a-service (RaaS) staged a shock return after a two-month hiatus following the broadly publicized assault on expertise companies supplier Kaseya on July 4.
Two of the darkish net portals, together with the gang’s Completely happy Weblog knowledge leak web site and its fee/negotiation web site, have resurfaced on-line, with the latest sufferer added on July 8, 5 days earlier than the websites mysteriously went off the grid on July 13. It is not instantly clear if REvil is again within the recreation or if they’ve launched new assaults.
“Sadly, the Completely happy Weblog is again on-line,” Emsisoft menace researcher Brett Callow tweeted on Tuesday.
The event comes slightly over two months after a wide-scale supply chain ransomware attack geared toward Kaseya, which noticed the Russia-based cybercrime gang encrypting roughly 60 managed service suppliers (MSPs) and over 1,500 downstream companies utilizing a zero-day vulnerability within the Kaseya VSA distant administration software program.
In late Could, REvil additionally spearheaded the attack on the world’s largest meat producer JBS, forcing the corporate to shell out $11 million in ransom to the extortionists to get better from the incident.
Following the assaults and elevated worldwide scrutiny within the wake of the worldwide ransomware disaster, the group took its darkish net infrastructure down, resulting in speculations that it could have quickly ceased operations with the objective of rebranding below a brand new identification in order to draw much less consideration.
REvil, also called Sodinokibi, emerged because the fifth mostly reported ransomware strains in Q1 2021, accounting for 4.60% of all submissions within the quarter, according to statistics compiled by Emsisoft.