REvil, the famous ransomware gang appears to have returned to business months after being taken offline and members getting arrested.
It’s been spotted that the address used for REvil’s leak site has been redirected to a new site on the darknet. The new page includes previous REvil attacks and new attacks, including Oil India Ltd.
As was typical with previous REvil attacks, a blog post threatens to publish stolen data, including contracts, client information, and messaging chats unless Oil India negotiates to pay a ransom. The Oil India attack was confirmed on April 13. Those behind the attack demanded a payment of 196 bitcoins ($7.9 million) to provide a decryptor key and a pledge not to publish the stolen data.
It’s not 100% certain that this is actually REvil reborn, or another ransomware gang is using its name. Bleeping Computer reported Wednesday that some of the strings in the code for the new site point to other ransomware groups, including the Corp Links and TelsaCrypt gangs. There is also some speculation on Russian hacking forums as to whether this new operation is a scam, a honeypot, or a legitimate continuation of the old REvil business.
If it is legitimately REvil reborn then it’s a matter of concern. REVil also known as Sodinokibi, first appeared in May 2019 and was a prolific ransomware group linked to dozens of attacks. The best-known attack was on information technology management software from Kaseya Ltd. in July.
Other REvil attacks include those targeting meat processing company JBS S.A., Taiwanese manufacturer Quanta Computer Inc., and Travelex.
It’s too early to make a call on REvil’s reappearance but caution is required. It has been proven earlier how bad they do and how they act fast exploiting their weakness.