REvil Ransomware Gang Returns

The notorious REvil ransomware group is back, targeting new victims and leaking stolen files on a data leak site, an information security and technology news outlet reported Saturday.

REvil RansomwareThe notorious REvil ransomware group is back, targeting new victims and leaking stolen files on a data leak site. (Photo: Pxfuel, DMCA, free for commercial use)The Russian hacker group REvil (Ransomware Evil), known for conducting attacks on organizations around the world and demanding million-dollar ransoms in exchange for a decryption key needed to prevent the leaking of stolen files, simply vanished from the internet in July before reappearing last week, according to Bleeping Computer.

“After their shutdown, researchers and law enforcement believed that REvil would rebrand as a new ransomware operation at some point. However, much to our surprise, the REvil ransomware gang came back to life… under the same name,” the report said.

According to the report: REvil disappeared in early July following a major cyber assault in which it encrypted 60 managed service providers and more than 1,500 companies by exploiting a “zero-day vulnerability in the Kaseya VSA remote management platform.”

Kaseya, the leading provider of IT and security management solutions for managed service providers (MSPs) and small to medium-sized businesses (SMBs), went public with the attack at the time and responded quickly to a “ransomware attack on its VSA (sophisticated remote monitoring and management platform) customers launched over the Fourth of July holiday weekend.”

Global meat supplier JBS, foreign exchange company Travelex, some well known fashion companies and Brazilian health insurer Grupo Fleury, were among the compromised subjects.

“REvil then demanded US$50 million for a universal decryptor for all Kaseya victims, $5 million [per]  MSP's decryption, and a $44,999 ransom for individual file encryption extensions at affected businesses,” according to Bleeping Computer.

The attack reportedly had such far-reaching global ramifications that it drew the full focus of international law enforcement on the gang, which then disappeared, “leaving many victims in a lurch with no way of decrypting their files.”

However, two months later, the so-called Tor payment/negotiation sites — popular among cybercriminals to conceal their origins and make it difficult to identify the individuals behind the malware campaign — and data leak sites, controlled by REvil, abruptly reactivated and became accessible.

At the same time, REvil’s Tor payment sites became operational and accessible for payments and negotiations. The Tor uses a countdown mechanism, usually giving 72 hours to the victim to pay the ransom in order to get back stolen data.

All previous victims’ clocks were reportedly reset, as if the clock stopped on the ransom demands when REvil shut down in  July. Now the clocks are ticking again, presumably.

The cyber gang’s two-month disappearance remains a mystery, although a few explanations have surfaced in public.

One explanation, apparently posted by REvil itself on some hacking forums, says that the gang believed that a key member identified only as Unknown or “UNKN”, was arrested, so it shut down its servers to prevent investigators from gaining access.

In another version, the cyber criminals simply took a break, according to Bleeping Computer.