Following months of inactivity, the notorious REvil ransomware group’s Tor domains have unexpectedly resurfaced.
While the gang took down all of its websites and effectively shut down its operations in September 2021 before being dismantled by Russia’s FSB at the start of this year, its Tor sites now point to a new ransomware operation that just debuted.
It is unknown who or which gang is behind this new operation at this moment, however the new leak site contains a long list of previous REvil victims as well as two new ones.
Security researchers pancak3 and Soufiane Tahiri discovered adverts supporting the new REvil leak site on the Russian online hacker community RuTOR, according to BleepingComputer.
Despite the fact that the new site is housed on a separate domain, it still redirects to the original REvil site from back when it was active.
The new leak site explains that affiliates receive an updated version of the REvil ransomware as well as an 80/20 split of any ransom payments collected, since thieves have begun to use a Ransomware-as-a-Service (RaaS) model.
The site has a 26-page list of victims, the majority of which are from prior attacks, but the final two appear to be tied to this new operation, one of which includes Oil India.
Both sites displayed a page with the title “REvil is terrible” beside a login form in November of last year, when REvil’s data breach and payment sites were still under FBI supervision.
Despite the fact that the ransomware group’s domains were seized by law authorities, these redirects show that someone else had access to the Tor private keys that allowed them to make changes to the group’s.Onion site.
Users on a famous Russian-language hacking forum are debating whether the new leak site is a hoax, a government-run honeypot, or a true continuation of REvil’s previous operations.
To further complicate matters, multiple ransomware operations are currently leveraging REvil’s encryptors or blatantly mimicking the original gang.
We may finally have some answers on whether or not the REvil ransomware group has mysteriously returned from the grave once security researchers take a closer look at the new leak site.
To read our blog on “Hackers are leaking company data following a ransomware attack, Nvidia says,” click here.
