The TOR network’s REvil ransomware servers have resurfaced after months of quiet, redirecting to a new operation that began at least in mid-December last year. It’s unknown who’s behind the new REvil-linked operation, but the latest leak site shows a long list of victims, including two new ones, from previous REvil operations.
A few days ago, Security researchers pancak3 and Soufiane Tahiri discovered the new REvil leak site being pushed on RuTOR, a forum marketplace focused on Russian-speaking areas. The new site is on a different domain, but it redirects to the previous one REvil used while he was active, which the two researchers could capture.
The leak site specifies the terms for affiliates, who are supposedly given an enhanced version of REvil ransomware and an 80/20 share for any ransoms collected. There are 26 victim pages on the site, most of which are from earlier REvil attacks, with just the latter two appearing to be connected to the current activity. Oil India is one of them.
In January, a few weeks after 14 accused gang members were caught in Russia, security researcher MalwareHunterTeam reported that they witnessed activity from a new ransomware group connected starting in mid-December of last year to REvil, albeit no link could be found. According to the researcher, the latest REvil-related leak site was online between April 5 and April 10, but with no material and it began to be populated around a week later.
MalwareHunterTeam also noticed that the RSS feed’s source shows the string Corp Leaks, previously used by the now-defunct Nefilim ransomware organization. The blog and payment sites are both up and running on different servers. Looking at the former, it was discovered that the new ransomware operation’s blog dumps a cookie called DEADBEEF, a computer phrase that the TeslaCrypt ransomware group employed as a filemarker.
At this time, it’s not possible to relate the new REvil-based payload to a ransomware threat actor since samples of the new payload must be evaluated, and whoever is behind the new leak site has yet to reveal a name or affiliation. REvil’s data leak and payment sites displayed a page labeled “REvil is terrible” and a login form while under FBI control in November 2021, first via TOR gateways and at the .Onion location.
The mystery surrounding the redirection is growing, hinting that someone other than law enforcement had access to the TOR secret keys that allowed them to make adjustments for the .Onion website. Users on a popular Russian-language hacker forum are disputing whether the new operation is a scam, a honeypot, or a real continuation of the previous REvil operation, which still has a long way to regain its reputation.