Ransomware gang REvil resurfaces on the dark web and announces new results – is it really back?

Evidence of the resurgence of the notorious ransomware gang REvil has surfaced on the dark web, with the original REvil gang's dark web site jumping to a new dark web blog with details of three new victims: Stratford University (USA), another Indian company - Visotec Group (www.visotec.com) and oil company Oil India (www.oil-india.com), but of course, the old victim information is still there in the blog.

The REvil ransomware gang, which is speculated to have originated in Russia, chose to disappear to avoid the limelight and shut down the dark web site after attacking Kaseya VSA softwares users in July 2021 for alerting the White House and even the Russian government; in September 2021, the Happy Blog site used by REvil to showcase the results of the intrusion and demonstrate the stolen information reappeared in the dark web; in 2021 October, after the dark web site was hijacked, REvil chose to shut down again; and in January 2022, many members of REvil's group were arrested by the Russian Federal Security Service.

So is it true that the ransomware gang REvil is back? After analyzing REvil's dark web site, Dark Web Under/AWX believes that REvil has indeed made a comeback, and that it is not a phishing operation by the Russian FSB.

The V3 domain name of REvil's previous dark web site is


The V3 domain name of REvil's newly redirected dark web site is


Is REvil really back?

REvil is considered to be one of the most aggressive and prolific ransomware-as-a-service groups active on the dark web over the past year. The cybercrime gang developed and deployed the Sodinokibi malware and claims credit for a supply chain attack on managed services provider Kaseya in July that affected as many as 1,500 businesses working with the company. The group is also reportedly responsible for the attack on global meat supplier JBS and is demanding a ransom of $11 million.

Russia's security agency, the FSB, said it arrested some of the group's key personnel in a crackdown in January, but REvil's page on the dark web that posted information about victims has now been relaunched. The site, once known as the "Happy Blog," has been updated to link to another site, "Blog," that shows many of the group's victims, with at least three new ones added.

One is Stamford University, which claims to have about 60 gigabytes of documents, including financial reports, students' passports and social numbers, staff data and many other important information, and has published some internal images on its pages; another is Visotec Group, which has not publicly disclosed whether it was attacked; and another is Indian Oil Corporation, which on April 10 suffered a ransomware attack by an unknown group, demanding $7.9 million in damages.

The site notes that Indian Oil is no longer in negotiations to pay the ransom, and it includes some of the company's internal documents.

The site also adds a Russian-language recruitment page that promises an 80/20 ransom split for hackers willing to join. The site also appears to be peddling ransomware similar to that used by the group before it was banned by the FSB.

Who is behind REvil's resurrection?

Diana Selck-Paulsson, lead security researcher at Orange Cyberdefense, said that so far it is unclear who is behind the apparent return of REvil. "It's not uncommon for today's cyber ransom organizations to disappear and reappear in other forms or be renamed," she said, "and it's interesting that the site is being repurposed, with both old and new victims of REvil showing up there. One reason for this could be that someone is trying to use REvil's reputation or 'brand' without establishing a connection to the original organization."

Another explanation could be that the FSB is using REvil's blog as a trap to lure in other cybercriminals, said Chris Morgan, senior cyber threat intelligence analyst at security firm Digital Shadows. "It is unclear whether the relaunch of the infrastructure associated with REvil represents a true return of activity," Morgan said, adding that "some believe the return may have been facilitated by Russian law enforcement to entrap other members of the pre-REvil operation, however, since new victims and sensitive information have been posted to the site, this seems unlikely."

Regardless of whether REvil's return is real, Morgan said, its re-emergence will not be welcomed by the broader ransomware community. The January arrests mean the group will be suspect. "Initial comments from the cybercrime community reflect this, saying they would be distrustful even if the return was coordinated by the original members of REvil." He said.

From:On DarkNet – Dark Web News and Analysis
Copyright of the article belongs to the author, please do not reproduce without permission.

<<Pre Post
Next Post>>