REvil officially returns with the same name, disappearing insider exposure

Recently, the dark web server operated by REvil ransomware suddenly restarted after being offline for nearly two months. The site, called Happy Blog, was one of many servers REvil members shut down on July 13 earlier this year.

We reported on this yesterday:

REvil back in the arena?

Today, Red Digital officially defined that REvil has officially made a comeback with the same name (without changing its name), and the inside story of its short-term closure has also been exposed.

On July 2, 2021, the REvil ransomware gang (aka Sodinokibi) exploited a zero-day vulnerability in Kaseya VSA remote management software to encrypt approximately 60 managed service providers (MSPs) and their more than 1,500 enterprise customers. REvil then asked MSPs for $5 million for decryptors, or $44,999 for each encryption extension across businesses. The gang also demanded $70 million for the master decryption key to decrypt all Kaseya victims, but quickly dropped the price to $50 million. (Extended reading: The highest extortion fee in history: 452 million yuan! (with IoC))

After the attack, ransomware gangs faced increasing pressure from law enforcement and the White House, who warned that if Russia did not take action against threat actors within its borders, the United States would take action on its own. Before long, the REvil ransomware gang appeared to be gone for good, shutting down all of their darknet servers and infrastructure.

REvil returns with new victim of the same name

Following the shutdown, researchers and law enforcement believe REvil will be rebranded as a new ransomware operation at some point. To our surprise, however, the REvil ransomware gang was resurrected this week with the same name.

On September 7, nearly two months after they disappeared, the darknet payment/negotiation and data breach sites were suddenly reopened and accessible. A day later, it was possible to log on to the dark web payment site again and negotiate with the ransomware gang. All previous victims had their timers reset, and their ransom demands appeared to be the same as when the ransomware gang shut down in July.

However, it wasn’t until September 10 that evidence of a new REvil attack began to be officially confirmed, when someone uploaded a new REvil ransomware sample compiled on September 5 to VirusTotal. Today, we saw further evidence of their attack again, as the ransomware gang posted screenshots of new victims’ stolen data on their data breach site.

New REvil Representative Appears, Short-Term Disappearance Insider Exposure

In the past, the public representative of the REvil ransomware group was a threat actor known as “Unknown” or “UNKN” who regularly posted on hacker forums to recruit new affiliates or publish news about ransomware operations.

  REvil officially returns with the same name, disappearing insider exposure

REvil’s UNKN forum thread

On September 10, after the ransomware operation returned, a new representative, simply named “REvil”, began posting on hacker forums, claiming that the gang was briefly down after Unknown was arrested and servers were compromised.

  REvil officially returns with the same name, disappearing insider exposure

REvil posted to Russian hacking forum

The translations of these posts are as follows:

“With Unknown (aka 8800) gone, we (the coders) backed up and shut down all servers. Thought he was caught. We tried to search, but to no avail. We waited – he didn’t show up, we restored everything from backup After UNKWN disappeared, the organizers notified us that the Clearnet server was compromised and they removed it immediately. We immediately shut down the main server with the key. The Kaseya decryptor allegedly leaked by law enforcement was actually generated in the decryptor Leaked by one of our operators during this period.” – REvil

According to these accounts, law enforcement obtained Kaseya’s generic decryptor after gaining access to some of REvil’s servers.

However, many sources revealed that REvil’s disappearance surprised law enforcement as much as others.

A chat believed to be between a security researcher and REvil paints a different story, with one REvil operator claiming they just took a break.

  REvil officially returns with the same name, disappearing insider exposure

A chat between researchers and REvil about their disappearance

While we may never know the real reason for REvil’s short-term disappearance or how Kaseya obtained the decryption key, the most important thing to know is that REvil is back and will continue to target major global corporations.

With its skilled affiliations and ability to execute sophisticated attacks, all network administrators and security professionals are on the alert and must be familiar with their tactics and techniques (we will publish REvil tactics and techniques deciphering tomorrow).

The Links:   LQ104X2LX11 7MBR50UA120 SKM200GAL126D

Author: Yoyokuo