The dark web servers used by the ransomware gang REvil for its operations have suddenly turned back on. However, it’s unclear if they are being used by law enforcers or if the ransomware gang is back.
On July 2, the REvil ransomware gang encrypted almost 60 service providers managed by Kaseya VSA remote management software, affecting over 1,500 business customers using a zero-day flaw in the Kaseya VSA software.
They demanded $5 million from each of the businesses that were encrypted. Along with that, they offered a master decryption key for all Kaseya victims for $70 million. The price was soon dropped to $50 million.
After the ransomware attack, the US law enforcement department pressured Russia to take actions against threat actors working out of the country, or else the US will take the matter into their own hands. This made the ransomware gang disappear immediately, and all their servers were shut down.
As a result, the victims could not recover their files. However, the master key was later delivered to the Kasaya victims. It is believed that the gang passed on the master key to the Russian intelligence department, which in turn handed it over to the Kaseya victims through the FBI to protect their relationship with the US.
The most recent victim of REvil was added on July 8, 2021, and five days later the gang’s site went down.
However, REvil’s infrastructure suddenly turned back on 8th September 2021, and its sites suddenly came back online. Their leak site ‘Happy Blog’ seems to be fully functional, whereas their Tor negotiation site is yet to restore its full functionality.
The gang’s http://decoder.re/ is offline at this time.