The recent news about resurfacing of REvil ransomware group have been confirmed to be true.
Also known as Sodinokibi, this group has been aggressively targeting organizations all around the world since 2019. REvil asks them to pay million-dollar ransoms in exchange for a decryption key and the protection of stolen data. Some well-known victims of the REvil ransomware group are JBS, Travelex, Kenneth Cole, and Coop.
REvil disappeared completely after MSP supply-chain attack on July 2nd. But surprisingly enough, they have returned after two months under the same identity.
On September 7th, the gang’s Tor negotiation/payment and data leak sites unexpectedly switched back on and became accessible. The timers of all previous victims were reset, and their ransom demands looked to have been kept unchanged from when the ransomware group was taken down in July.
This group has also launched new attacks. The screenshots of stolen data for a fresh victim on their data leak site indicate that they have resumed their operations.
Their earlier representative who was known as ‘UNKN’ or ‘Unknown’ disappeared. But a new representative – “REvil” – emerged instead on September 9th. He started posting on hacking sites, saying that the gang was temporarily shut down after the arrest of ‘Unknown’ and servers being compromised.
Based on claims by the new representative of REvil on one of the hacking forums, it became clear that Law Enforcement got Kaseya’s universal decryptor after gaining access to some servers of REvil.
The reason for REvil’s disappearance is still unknown, but the primary issue today is its reappearance and the continuation of ransomware attacks against businesses all over the world. It’s time for security professionals and network administrators to get ready to resist the strategies of REvil’s skilled affiliates.