REvil ransomware servers on the TOR network are backed up after months of inactivity and redirected to a new operation that appears to have started since at least mid-December last year.
It’s unclear who is behind the new operation connected to REvil, but the new leak site lists a large catalog of victims of past REvil attacks as well as two new ones.
New RaaS in the works
A few days ago, however, security researchers pancake3 and Soufiane Tahiri noticed that the new REvil leak site was being promoted on RuTOR, a forum marketplace that focuses on Russian-speaking regions.
The leak site provides details of the terms for affiliates, who would get an upgraded version of REvil ransomware and an 80/20 split for affiliates collecting a ransom.
The site lists 26 victim pages, most of them old REvil attacks, and only the last two appear to be related to the new operation. One of them is Oil India.
security researcher MalwareHunterTeam in January, weeks after the arrest of 14 suspected gang members in Russia, said that from mid-December last year they had noticed the activity of a new ransomware gang linked to REvil, although no connection is obvious.
The searcher observed later the current REvil-related leak site being up between April 5 and April 10 but with no content and it started getting populated about a week after that.
Another MalwareHunterTeam observation is that the source of the RSS feed shows the Corp Leaks channel, which was used by the now defunct Nefilim ransomware gang. [1, 2].
The blog and the payment sites are operational on different servers. Looking at the first one, BleepingComputer noticed that the blog of the new ransomware operation drops a cookie named DEADBEEF, a computing term that was used as a file marker by the TeslaCrypt ransomware gang.
A connection to a ransomware threat actor is not possible at this time as samples of the new REvil-based payload need to be analyzed and whoever is behind the new leak site has not yet claimed a name or identity. affiliation.
While under FBI control in November 2021, REvil’s data leak and payment sites showed a page titled “evil is evil” and a login form, initially through the TOR Gateways and at the .Onion location.
The mystery of the redirects, both recent and last year, deepens, as it suggests that someone other than law enforcement has access to the TOR private keys that allowed them to bring changes to the .Onion site.
On a popular Russian-speaking hacker forum, users are speculating between the new operation being a scam, a honeypot or a legitimate continuation of the old REvil company which has lost its reputation and has a long way to go to recover it.
The fall of REvil
REvil ransomware has had a long run that began in April 2019 as a follow-up to Operation GandCrab, the first that established the ransomware-as-a-service (RaaS) model.
In August 2019, the gang hit several local governments in Texas and demanded a collective ransom of $2.5 million – the highest at the time.
The group is responsible for the Kaseya supply chain attack that affected around 1,500 businesses and also led to their demise last year as law enforcement around the world stepped up collaboration to bring down the gang.
Shortly after hitting Kaseya, the gang went on a two-month hiatus unaware that law enforcement had hacked into their servers. When REvil restarted the operation, they restored the systems from backups, unaware of the compromise.
In mid-January, Russia announced that it had shut down REvil after identifying all gang members and arresting 14 people.
In an interview with Rossiyskaya Gazeta, Deputy Secretary of the Security Council of the Russian Federation Oleg Khramov said that the Russian law enforcement agency started its investigation into REvil from Puzyrevsky’s name and of an IP address transmitted by the United States as belonging to the main hacker of the group.
For the time being, the United States has ceased collaborating with Russia on cybersecurity threats – attacks on critical infrastructure in particular, as a direct result of Russia’s invasion of Ukraine.