Expectations that the notorious Russian-speaking REvil ransomware group’s sudden and mysterious disappearance from the scene about two months ago would be a permanent one, have been dashed.
Researchers from CrowdStrike this week reported seeing the group — regarded as one of the most prolific ransomware-as-a-service (RaaS) operators in recent memory — suddenly put their main extortion website and payment portal back online on Sept. 7. The security vendor said it had not observed anything to suggest the group had snagged more victims. But REvil’s apparent decision to bring its “Happy Blog” leak website back to life suggests the group is ready to restart operations after a two-month break, CrowdStrike said.
In a blog posted Thursday, Flashpoint said a threat actor using the alias “REvil” surfaced this week on a Russian-language cybercrime forum called Exploit, claiming to be the representative of the REvil group. The individual claimed the REvil ransomware group had managed to restore full operations using backups, Flashpoint said.
“For all intents and purposes, it appears that REvil is fully operational after its hiatus,” the vendor noted.
“CrowdStrike Intelligence observed that PINCHY SPIDER, commonly known as REvil, put their extortion site and payment portals back online” on Sept. 7, says Adam Meyers, CrowdStrike’s senior vice president of intelligence. “Currently, we have not observed any new victims, but ultimately the group is back to make money as ransomware is very profitable.”
It’s not unusual at all for threat groups to take sporadic breaks from their operations, either because they are attracting too much attention or because they want to regroup and refresh their attack kits and capabilities before launching a new campaign. REvil’s case is slightly different because many believed the group had been forced to stop operations by law enforcement in Russia following widespread concern in the US over two specific attacks involving the use of its malware.
One of these was a late May ransomware attack targeting JBS, one of the world’s largest meat suppliers. The attack forced a temporary shutdown of all the company’s beef plants in the US and raised the specter of considerable disruption to US meat supplies. JBS ended up paying $11 million to regain access to its systems.
The other was an early July attack against IT management software vendor Kaseya
that impacted systems at dozens of managed service providers and, in turn, more than 1,000 of their customers. REvil then demanded a $70 million ransom in return for the decryption key for unlocking systems that were encrypted in the attack.
The two attacks, along with a potential REvil link to an even more disastrous May ransomware attack on Colonial Pipeline, which temporarily disrupted oil supplies across the US eastern seaboard, suddenly elevated REvil to a national-level security threat. These attacks showed the group was not just capable, but willing to go after critical operations networks and targets of strategic national importance to the US — a line threat groups have previously been hesitant to cross due to fear of repercussions.
Soon after the Kaseya attack, US President Biden said he had directed US intelligence agencies to investigate the intrusion and that the US would respond if the investigation showed Russian involvement. A Reuters report quoted President Biden as urging Russian President Putin, during a June meeting in Geneva, to crack down on hacking activity from the country or face potential consequences from the US.
Pressured to Stop or Voluntary Break?
So when REvil — also known as Sodinokibi — suddenly ceased operations in July, many assumed the group had done so under direct pressure from Russian law enforcement or another high-level authority. Its TOR infrastructure went mysteriously dark soon after Kaseya said it had received a master decryption key to unlock systems that had been compromised by REvil’s attack. Some speculated the threat group had somehow been pressured into handing over the decryption keys. According to Flashpoint, however, the REvil representative that surfaced this week on the Exploit forum claimed the Kaseya decryptor key was accidentally leaked by law enforcement agencies.
“While it is common for e-crime actors to take a summer break, the timing of the disappearance in proximity to the JBS/Kaseya incident indicates the group may have temporarily paused operations to evaluate security and allow public scrutiny to dissipate,” CrowdStrike’s Meyers says.
Ivan Righi, cyber threat intelligence analyst at Digital Shadows, says details of what appears to be at least one new REvil victim was posted on the group’s Happy Blog data leak site after it returned.
“This new victim was also posted on Dopple Leaks, the data leak site for the DoppelPaymer ransomware, on March 1, 2021,” he says.
Righi says there are multiple likely explanations for REvil’s disappearance.
“The group may have faced a high amount of pressure from law enforcement following its attack on Kaseya, or the group may simply have chosen to take a break or ‘vacation’ from its operations,” he says.
REvil has typically been an outspoken group, so it’s possible they will shed some light on why they disappeared for the past two months, Righi says.