While the group took down all of its websites and essentially shut down its operations back in September of 2021 before being dismantled by Russia’s FSB at the beginning of this year, its sites on Tor now redirect to a new ransomware operation that launched only recently.
At this time, it is still unclear as to who or which group is behind this new operation but the new leak site contains a lengthy list of past REvil victims as well as two new ones.
According to BleepingComputer, security researchers pancak3 and Soufiane Tahiri recently spotted ads promoting the new REvil leak site on the Russian online hacking forum RuTOR. Despite the fact that the new site is hosted on a different domain, it still leads to the original one REvil used during its heyday.
Who’s running the new leak site?
As cybercriminals have started employing a Ransomware-as-a-Service (RaaS) model, the new leak site explains that affiliates get an improved version of the REvil ransomware as well as a 80/20 split of all of the ransom payments collected.
When it comes to victims, the site features a 26-page list and while most of them are from previous attacks, the last two appear to be related to this new operation and one of which includes Oil India.
In November of last year when REvil’s data leak and payment sites were still under the control of the FBI, both sites showed a page with the title “REvil is bad” alongside a login form. Even though law enforcement seized the ransomware group’s sites, these redirects suggest that someone else has access to the Tor private keys that made it possible for them to make changes to the group’s .Onion site.
Users on a popular Russian-speaking hacking forum have begun discussing whether the new leak site is a scam, a honeypot set up by the authorities or a legitimate continuation of REvil’s prior business. To make matters more confusing, there are currently multiple ransomware operations that are using REvil’s encryptors or are outright impersonating the original group.
Once security researchers take a closer look at the new leak site, we may finally have some answers regarding whether or not the REvil ransomware group has magically come back from the dead.