REvil Ransomware Returns, Already Exposing Data

Share:

Share on facebook
Share on twitter
Share on linkedin

The REvil ransomware group has fully resurfaced, is attacking new victims and posting stolen files on a data breach site.

Since 2019, the REvil ransomware operation, nicknamed Sodinokibi, has been conducting attacks on companies all around the world, demanding million-dollar ransoms in exchange for a decryption key and the prevention of stolen files from being leaked.

During its tenure, the gang has carried out numerous attacks on well-known companies such as JBS, Coop, Travelex, GSMLaw, Kenneth Cole, Grupo Fleury, and others.

“Unfortunately, the Happy Blog is back online,” Emsisoft threat researcher Brett Callow tweeted.

REvil’s Disappearance

After their biggest attack, REvil shut down their infrastructure and completely disappeared. The Kaseya VSA remote management platform was the target of a major attack on July 2nd that affected 60 managed service providers and over 1,500 enterprises using a zero-day vulnerability.

On July 13th, 2021, the REvil gang abruptly ceased operations, leaving many victims in the dark with no method to decrypt their information.

Researchers and law enforcement suspected that REvil would rebrand as a new ransomware organisation at some point after their shutdown.

 

REvil’s Return

Nevertheless, the REvil ransomware group returned this week under the same name, much to our surprise.

Tor’s payment/negotiation and data leak sites reactivated and became available on September 7, over two months after they went down. It was possible to engage with the ransomware group again a day later.

All prior victim’s timers were reset and their ransom demands had remained the same when the ransomware gang ceased down in July.

According to ‘REvil’, a new spokesman of the ransomware operation, the group temporarily shut down after believing Unknown (REvil’s previous spokesman) had been arrested and systems compromised on September 9th.

REvil post to Russian-speaking hacking forum. Source: Advanced Intel

This translation of these posts can be read below:

“As Unknown (aka 8800) disappeared, we (the coders) backed up and turned off all the servers. Thought that he was arrested. We tried to search, but to no avail. We waited – he did not show up and we restored everything from backups.

After UNKWN disappeared, the hoster informed us that the Clearnet servers were compromised and they deleted them at once. We shut down the main server with the keys right afterward. 

Kaseya decryptor, which was allegedly leaked by the law enforcement, in fact, was leaked by one of our operators during the generation of the decryptor.”

 – REvil

While we may never know the true reason for the disappearance or how Kaseya gained the decryption key, the most important is to know is that REvil is back to targeting corporations all over the world.

REvil’s skilled affiliates and ability to perform sophisticated attacks could result in devastating business outcomes. It’s recommended that all network admins and security professions become familiar with expert cybersecurity tactics and techniques, especially if employees are working remotely.

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.

Emergency Assistance

Under Attack?

Please fill out the form and we will respond ASAP. Alternatively, click the button to call us now.