In mid-July the REvil ransomware group, linked to the Kaseya and JBS incidents among other attacks, appeared to go out of business. It turns out they may have just been taking a refreshing summer break. The group’s “Happy Blog,” where victims are extorted with the threat of disclosure of sensitive stolen information, has returned to the dark web. The group has not issued any statements or updates yet, but it has also reactivated its payment portal for victims. The list of current victims that was active when the site was pulled two months ago has also been restored.
REvil ransomware group not giving up just yet?
It’s not uncommon for successful ransomware groups to suddenly go out of business due to having attracted too much attention with their escapades, so it wasn’t all that surprising to see the REvil ransomware gang disappear from the dark web after the severe attacks on Kaseya (which is estimated to have hit at least 1,000 companies) and JBS (which threatened meat supplies and prices in both Brazil and the United States).
Ransomware gangs often take several months off and then form up again under a different name. The REvil ransomware group only disappeared for a little under two months, and seems to be going straight back to its old business given the reappearance of the infamous “Happy Blog” and its payment portals.
REvil must have had a very memorable summer vacation, given that the group is thought to have extorted about $100 million in total prior to shutting down. It is unknown exactly why the group took this hiatus, but it disappeared shortly after President Biden ordered US intelligence agencies to investigate the Kaseya attack. There was some speculation that the Russian government had put pressure on REvil as part of ongoing talks between the Putin administration and the US about curbing the rampant criminal for-profit hacking coming out of the region. However, if REvil ransomware begins infecting new systems it is reasonable to assume that the Kremlin did not involve itself in the issue.
Ransomware gang revives dark web infrastructure
There are no new reported victims so far, but it seems unlikely that the group would revive its entire dark web infrastructure were it not planning to make use of it. The last known REvil ransomware incident was on July 8, just before the group scrubbed its presence from the internet. The victim was a law firm, and REvil took to the Happy Blog to claim that they had captured court case files, Social Security numbers and dates of birth for the firm’s clients.
The operation does not seem to be fully underway yet, however, as the payment site is not yet allowing logins. The negotiation site is back up and fully functional, however, a fairly strong indication that the group is looking to get back to work. Prior to shutting down, REvil ransomware accounted for 23% of all attacks of this type worldwide.
The group certainly has a winning formula, but going straight back to the old infrastructure and methods means that the world’s law enforcement agencies will be right on them (if they had even ceased the ongoing investigations in the first place). There is the outside possibility that some law enforcement or intelligence agency has managed to take over the group’s infrastructure and is firing it back up as some sort of honeypot to entrap its “ransomware as a service” clients. Some victims may actually be hoping that the group is legitimately back in action, as they were left in the lurch by the sudden disappearance and unable to pay to have their systems unlocked.
The victims of the Kaseya attack received some relief in the form of a decryptor key, provided to the company in August by an unknown “trusted third party.” Initially believed to be a universal key for all of the REvil ransomware, it turned out to only work for files encrypted in the Kaseya attack. Kaseya says that it had to sign a non-disclosure agreement to receive the key, leading to speculation that it was provided by Russian intelligence.
While the REvil ransomware gang has not shown any signs of activity yet beyond the reactivation of its website, a group called “BlackMatter” appeared in late July claiming to be composed of former members of REvil and the DarkSide gang behind the Colonial Pipeline attack. There is no way to verify that the poster is telling the truth, but there was at least one attack that used a patched version of the REvil ransomware during the group’s hiatus. This could have been executed by any number of its former affiliates, however. BlackMatter reportedly created an escrow account containing four Bitcoins (about $120,000) to demonstrate its capability, but REvil would have access to a much greater amount of funds than that. The whole mystery may not be resolved unless REvil ransomware attacks begin again.