REvil Ransomware Groups Sudden Re-emergence Sparks Concerns

  /     /     /  
Publicated : 23/11/2024   Category : security


REvil Ransomware Groups Sudden Re-emergence Sparks Concerns


Some had hoped the notorious Russia-based group had been pressured to quit for good after a couple of especially egregious attacks on US targets earlier this year.



Expectations that the notorious Russian-speaking REvil ransomware groups sudden and mysterious disappearance from the scene about two months ago would be a permanent one, have been dashed.
Researchers from CrowdStrike this week reported seeing the group — regarded as one of the most prolific ransomware-as-a-service (RaaS) operators in recent memory — suddenly put their main extortion website and payment portal back online on Sept. 7. The security vendor said it had not observed anything to suggest the group had snagged more victims. But REvils apparent decision to bring its Happy Blog leak website back to life suggests the group is ready to restart operations after a two-month break, CrowdStrike said.
In a blog posted Thursday, Flashpoint said a threat actor using the alias REvil surfaced this week on a Russian-language cybercrime forum called Exploit, claiming to be the representative of the REvil group. The individual claimed the REvil ransomware group had managed to restore full operations using backups, Flashpoint said. 
For all intents and purposes, it appears that REvil is fully operational after its hiatus, the 
vendor noted
.
CrowdStrike Intelligence observed that
PINCHY SPIDER
, commonly known as REvil, put their extortion site and payment portals back online on Sept. 7, says Adam Meyers, CrowdStrikes senior vice president of intelligence. Currently, we have not observed any new victims, but ultimately the group is back to make money as ransomware is very profitable. 
Its not unusual at all for threat groups to take sporadic breaks from their operations, either because they are attracting too much attention or because they want to regroup and refresh their attack kits and capabilities before launching a new campaign. REvils case is slightly different because many believed the group had been forced to stop operations by law enforcement in Russia following widespread concern in the US over two specific attacks involving the use of its malware.
One of these was a late May ransomware attack targeting JBS, one of the worlds largest meat suppliers.
The attack
forced a temporary shutdown of all the companys beef plants in the US and raised the specter of considerable disruption to US meat supplies. JBS ended up paying $11 million to regain access to its systems. 
The other was an early July attack against IT management software vendor
Kaseya
that impacted systems at dozens of managed service providers and, in turn, more than 1,000 of their customers. REvil then demanded a $70 million ransom in return for the decryption key for unlocking systems that were encrypted in the attack.
The two attacks, along with a
potential REvil link
to an even more disastrous May ransomware attack on Colonial Pipeline, which temporarily disrupted oil supplies across the US eastern seaboard, suddenly elevated REvil to a national-level security threat. These attacks showed the group was not just capable, but willing to go after critical operations networks and targets of strategic national importance to the US — a line threat groups have previously been hesitant to cross due to fear of repercussions.
Soon after the Kaseya attack, US President Biden said he had directed US intelligence agencies to investigate the intrusion and that the US would respond if the investigation showed Russian involvement. A
Reuters report
quoted President Biden as urging Russian President Putin, during a June meeting in Geneva, to crack down on hacking activity from the country or face potential consequences from the US.
Pressured to Stop or Voluntary Break?
So when REvil — also known as Sodinokibi — suddenly ceased operations in July, many assumed the group had done so under direct pressure from Russian law enforcement or another high-level authority. Its TOR infrastructure went mysteriously dark soon after Kaseya said it had received a master decryption key to unlock systems that had been compromised by REvils attack. Some speculated the threat group had somehow been pressured into handing over the decryption keys. According to Flashpoint, however, the REvil representative that surfaced this week on the Exploit forum claimed the Kaseya decryptor key was accidentally leaked by law enforcement agencies.
While it is common for e-crime actors to take a summer break, the timing of the disappearance in proximity to the JBS/Kaseya incident indicates the group may have temporarily paused operations to evaluate security and allow public scrutiny to dissipate, CrowdStrikes Meyers says.
Ivan Righi, cyber threat intelligence analyst at Digital Shadows, says details of what appears to be at least one new REvil victim was posted on the groups Happy Blog data leak site after it returned. 
This new victim was also posted on Dopple Leaks, the data leak site for the DoppelPaymer ransomware, on March 1, 2021, he says.
Righi says there are multiple likely explanations for REvils disappearance. 
The group may have faced a high amount of pressure from law enforcement following its attack on Kaseya, or the group may simply have chosen to take a break or vacation from its operations, he says. 
REvil has typically been an outspoken group, so its possible they will shed some light on why they disappeared for the past two months, Righi says.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
REvil Ransomware Groups Sudden Re-emergence Sparks Concerns