The notorious ransomware gang, REvil have returned with a bang, with the ransomware gang’s servers back online, along with a fresh victim listed on its site and ransomware payments back up and flowing after a two-month hiatus.
The period of quiet came alongside a universal decryptor key being issued by Kaseya, the IT solutions developer that was affected by a large ransomware attack. The gang are claiming that Kaseya only gained access to the key due to a gang member making a mistake.
REvil posted twice on the Exploit underground forum on Friday, Sept. 10, to clarify that a coder mistakenly generated and leaked the universal key.
Researchers see this claim as being suspect at best: “All threat actors agree that the reasoning regarding the mistaken generation of the decryption key is absolutely ridiculous and doesn’t make any sense in the context of how contemporary ransomware operations work.”
It appears that REvil managed to come back online by restoring their systems through their backups. This adds up, as their recent reappearance marks their first time online, since their servers slipped offline without an explanation in July – which was immediately following the high-profile Kaseya attack.
After that specific attack, the gang’s Tor servers and infrastructure powered down, and a security researcher discovered the master decryption key had been leaked to an underground forum. Two days before their return, REvil’s leak site – known as Happy Blog – was back up, and is now fully operational.
On that same day, REvil’s Tor payment/negotiation site also sprang back to life. By Thursday, victims could once again log in and negotiate with the group, and, unfortunately, at this point, there’s evidence of active development, too. It took until 9th September for a new REvil ransomware sample to be found, which was compiled just five days earlier on 4th September.
And, acting as confirmation of their full return, the gang published screenshots of stolen data for the new victim on its data leak site as further proof that they were, in fact, back in action.
Law enforcement getting their hands on the decryptor and shutting down the servers was one possibility that was floated after REvil’s servers went dark. Besides re-emerging, in whatever form it has, REvil is apparently looking to re-establish itself. It looks like the reborn REvil – which is a ransomware-as-a-service (RaaS) player that rents out its ransomware gear to affiliates – is trying to patch things up with disgruntled buyers of their services who grumbled about missing out on their own ransoms after the group’s disappearance.
With REvil’s re-emergence on the scene will likely come an increase in threats experienced by businesses. Neuways advises all companies to remain wary of email communications received that contain hyperlinks or documents which could lead to the user being compromised by nefarious criminals.