The REvil ransomware gang has absolutely returned and is as soon as once more attacking new victims and publishing stolen information on an information leak web site.
Since 2019, the REvil ransomware operation, aka Sodinokibi, has been conducting assaults on organizations worldwide the place they demand million-dollar ransoms to obtain a decryption key and stop the leaking of stolen information.
REvil’s disappearance act
REvil shut down their infrastructure and utterly disappeared after their greatest caper but – a massive attack on July 2nd that encrypted 60 managed service suppliers and over 1,500 companies utilizing a zero-day vulnerability in the Kaseya VSA distant administration platform.
REvil then demanded $50 million for a common decryptor for all Kaseya victims, $5 million for an MSP’s decryption, and a $44,999 ransom for particular person file encryption extensions at affected companies.
This assault had such wide-ranging penalties worldwide that it introduced the total consideration of worldwide legislation enforcement to bear on the group.
Seemingly feeling strain and issues about being apprehended, the REvil gang suddenly shut down on July thirteenth, 2021, leaving many victims in a lurch with no manner of decrypting their information.
The final we had heard of REvil, was that Kaseya received a universal decryptor that victims might use to decrypt information free of charge. It’s unclear how Kaseya acquired the decryptor however said it got here from a “trusted third get together.”
REvil returns with new assaults
After their shutdown, researchers and legislation enforcement believed that REvil would rebrand as a brand new ransomware operation in some unspecified time in the future.
Nonetheless, a lot to our shock, the REvil ransomware gang came back to life this week underneath the identical identify.
On September seventh, virtually two months after their disappearance, the Tor cost/negotiation and information leak websites instantly turned again on and have become accessible. A day later, it was as soon as once more doable to log in to the Tor cost web site and negotiate with the ransomware gang.
All prior victims had their timers reset, and it appeared that their ransom calls for have been left as they have been when the ransomware gang shut down in July.
Nonetheless, there was no proof of latest assaults till September ninth, when somebody uploaded a brand new REvil ransomware pattern compiled on September 4th to VirusTotal.
Right now, we have now seen additional proof of their renewed assaults because the ransomware gang has revealed screenshots of stolen information for 2 new victims on their information leak web site.
When you’ve got first-hand details about REvil’s return, you’ll be able to confidentially contact us on Sign at +16469613731, Wire at @lawrenceabrams-bc, or Jabber at firstname.lastname@example.org.
New REvil consultant emerges
Previously, REvil’s public consultant was a menace actor referred to as ‘Unknown‘ or ‘UNKN,’ who regularly posted at hacking boards to recruit new associates or put up information in regards to the ransomware operation.
On September ninth, after the return of the ransomware operation, a brand new consultant merely named ‘REvil’ had begun posting at hacking boards claiming that the gang briefly shut down after they although Unknown was arrested and servers have been compromised.
This translation of those posts will be learn under:
“As Unknown (aka 8800) disappeared, we (the coders) backed up and turned off all of the servers. Thought that he was arrested. We tried to go looking, however to no avail. We waited – he didn’t present up and we restored all the things from backups.
After UNKWN disappeared, the hoster knowledgeable us that the Clearnet servers have been compromised and so they deleted them directly. We shut down the primary server with the keys proper afterward.
Kaseya decryptor, which was allegedly leaked by the legislation enforcement, the truth is, was leaked by one in every of our operators in the course of the technology of the decryptor.” – REvil
Based mostly on these claims, Kaseya’s common decryptor was obtained by legislation enforcement after they gained entry to a few of REvil’s servers.
Nonetheless, BleepingComputer has been informed by quite a few sources that REvil’s disappearance shocked legislation enforcement as a lot as everybody else.
A chat between what’s believed to be a safety researcher and REvil, paints a special story, with an REvil operator claiming they merely took a break.
Whereas we might by no means know the actual motive for the disappearance or how Kaseya obtained the decryption key, what’s most necessary is to know that REvil is again to concentrating on firms worldwide.
With their expert associates and talent to carry out refined assaults, all community admins and safety professionals should turn out to be aware of their tactics and techniques.