Revil ransomware servers resurface

Would the cybergang behind Revil make a comeback? Suddenly disappeared at the end of July, leaving victims in the process of being unable to recover their encrypted data, this operator had not given any sign of life since. At least officially, since a few days later questions emerged following the discovery of BlackMatter and Haron ransomware which could well be linked with their elder Revil. Just recently, another unexpected fact about Revil also occurred: the bringing back online of servers used for malicious cybergang operations, in particular to collect funds extorted from its targets.

“The Tor payment / trading site and Revil’s Tor data-leak site ‘Happy Blog’ suddenly came back online,” Bleeping Computer said on Sept. 7. “Unlike the data breach site, which is functional, the Tor trading site does not appear to be fully operational yet.” For the moment, it is difficult to know if this is a real resurrection or a fortuitous relaunch without a future. Another site related to Revil’s file decryption still remains offline.

Revil in FBI sights in July

Revil – aka Sodinokibi – had in particular been talked about by managing to exploit the VSA vulnerability of Kaseya in early July 2021, a solution used by dozens of hosted service providers (MSPs). The result was mass rebound attacks that could affect several hundred companies. Previously, Revil had caught the Taiwanese manufacturer Acer in its clutches with a demanded ransom of $ 50 million and $ 11 million from the American subsidiary of the multinational food company JBS. This latest cyberattack caused the wrath of the White House, the FBI, the Department of Agriculture as well as the Australian and Canadian governments, thus contributing to its downfall. Definitive?