The ransomware group busted in January by Russian authorities acting on a US tip-off may have resurfaced, as a result of heightened tensions between Moscow and Washington in the wake of the Ukraine invasion.
REvil was taken down in a high-profile operation conducted by Russian security service the FSB, a move that surprised many at the time given Moscow’s prior tolerance of cybercriminal gangs operating on its soil. In light of the Russian attack on Ukraine weeks later, the crackdown appeared even more inexplicable.
Now it appears as though Russia has reversed its tougher stance against threat actors, although many observers have cautioned that the group currently claiming to be REvil could simply be impostors trying to cash in on its notoriety, or even another sting by the Kremlin to entrap further cybercriminals.
“It is currently unclear whether the restart of infrastructure associated with REvil represents a genuine return to activity for the group, a scam, or a potential honeypot operation by law enforcement,” said Chris Morgan, senior analyst at cybersecurity firm Digital Shadows.
As ever, Twitter was aflutter with speculation and diverging opinions, with some suggesting that the group claiming to be REvil was behind this month’s cyberattack on Oil India, which faced a ransom demand of $7.5 million after its defenses were breached. But with the petroleum firm claiming the culprit’s identity is undetermined, and other sources saying that the attack used Russian malware but was launched from Nigeria, such claims are speculative at best.
“It is realistically possible that Russian authorities have dropped their investigation into the group, or otherwise indicated that REvil could restart their operations,” said Morgan.
But he added: “On the other hand, it is also possible that REvil’s return may have been influenced through former members of the group, aiming to take advantage of the brand’s former fame and trying to run the operation on their own. Some have also suggested that the return may have been facilitated by Russian law enforcement to entrap other members of REvil’s former operation.”
The last theory appears the least likely, given that alleged victims including Oil India and Visotec Group have been posted to REvil’s blog site, a dark web page that was recently reactivated.
Pointing to a lack of sufficient evidence, Morgan said it remained unclear for the foreseeable future whether this is in fact the original REvil, or simply another group operating under their name.
“If the return is legitimate, it is realistically possible that this clarification will be provided by the group in the coming weeks,” he said.
More from Cybernews:
Ransomware evil: does REvil stand up to its name?
Russia claims to have shut down REvil ransomware group
Audio codec flaw left two-thirds of Android smartphones vulnerable to spying
Criminals increasingly spoof credit unions
Suspect in $70 million ransomware attack extradited to the US
Subscribe to our newsletter
