REvil ransomware group disappears, again

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Johannesburg, 19 Oct 2021

On Sunday 17 October, the notorious ransomware REvil’s Happy Blog went offline and is no longer accessible. Following an attack, as part of its extortion scheme, REvil would threaten to publish stolen information on this page unless the victim ponied up the ransom.

On the same day, one of the bad actors behind REvil said the group was shutting down on the Russian language cyber criminal forum XSS after its domain had been 'hijacked'. saying an unidentified individual had used the private Tor keys of the group’s former spokesperson, 'Unknown', to access REvil’s domain.

This was revealed by Flashpoint, whose analysts are tracking the evolving situation around the re-disappearance of REvil.

Satnam Narang, a staff research engineer for the security firm Tenable, claims REvil’s name is a combination of “ransomware” and “evil”. The criminal group is also known as Sodinokibi, and is behind some of the most notorious ransomware attacks, including Kaseya in July this year.

REvil acts as a criminal enterprise that sells hacking technology and other tools of malfeasance to third-party hackers. Its members have created online infrastructure on the dark Web for other hackers to post stolen information and collect ransomware payments, taking a cut of any payments.

In July this year, REvil shut down, because its operators believed Unknown had disappeared. However, between 12 and 5pm Moscow time, the group claimed its domain had been accessed using Unknown’s keys, confirming its fears that a third-party had backups with its service keys.

REvil’s operator claimed that the ransomware’s server was compromised, and the hijacker deleted the group’s representative called 0-neday’s access to its hidden admin server. 0_neday claimed the hijacker was looking for them, and signed off XSS wishing the members good luck.

According to Flashpoint analysts, this was an unexpected twist in REvil’s attempt to rebuild its operations, as the group had recently begun recruiting new associates on RAMP, a new Russian-speaking ransomware-as-a-service forum, and was offering unusually high commissions of 90% to attract them.

Flashpoint says its analysts are tracking the situation and will provide updates as they arise.

Users on the XSS forum were suspicious at this new announcement, and the LockBit ransomware gang’s spokesperson claimed this latest disappearance is proof that the REvil’s re-emergence in September this year was part of an elaborate FBI plot to catch REvil affiliates.

Several bad actors agreed with this assessment and added that they think REvil will re-emerge again under a completely new name, leaving recent scandals behind, and without having to pay out old affiliates.

Another cyber criminal added, paraphrasing Shakespeare, “Something is rotten in the state of ransomware.”