REvil ransomware’s servers in the TOR network are back up to date after months of inactivity and are being redirected to a new operation that appears to have started since at least mid-December last year.
It’s unclear who is behind the new REvil-linked operation, but the new leak site lists a large catalog of victims of past REvil attacks plus two new ones.
New RaaS in the making
A few days ago, however, security researchers pancak3 and Soufiane Tahiric noted that the new REvil leak site is being promoted on RuTOR, a forum marketplace targeting Russian-speaking regions.
The new site will be hosted on a different domain, but will lead to the original one that REvil was using when it was active, BleepingComputer confirmed today, as the two researchers ccaught the redirection.
The leak site details the terms and conditions for affiliates, which are reportedly getting an enhanced version of REvil ransomware and an 80/20 split for affiliates demanding ransom.
source: BleepingComputer
The site lists 26 pages of casualties, most of them from old REvil attacks, and only the last two seem to be related to the new operation. One of these is Oil India.
Security Investigator MalwareHunterTeam in January, a few weeks after 14 alleged gang members were arrested in Russia, they said they noticed activity of a new ransomware gang linked to REvil as of mid-December last year, although there was no connection.
The researcher observed later the current REvil-related leak site that was up and running between April 5 and April 10, but ran out of content and was filled about a week later.
Another observation from MalwareHunterTeam is that the source for the RSS feed shows the string Corp Leaks, which has been used by the now-defunct Nefilim ransomware gang [1, 2]†
source: BleepingComputer
The blogging and payment sites operate on different servers. Looking at the first, BleepingComputer noted that the blog of the new ransomware operation places a cookie called DEADBEEF, a computer term used as a file marker by the TeslaCrypt ransomware gang.
source: BleepingComputer
A connection to a ransomware threat actor is not possible at this time as samples of the new REvil-based payload need to be analyzed and whoever is behind the new leak site has not yet claimed a name or connection.
While under FBI control in November 2021, REvil’s data breach and payment sites displayed a page titled “REvil is bad” and a login form, initially through TOR gateways and at the .Onion location.
The mystery of the redirects, both recent and last year, is growing, as it suggests that someone other than law enforcement had access to the TOR private keys that allowed them to make changes to the .Onion site.
On a popular Russian-speaking hacker forum, users are speculating whether the new operation is a scam, a honeypot, or a legitimate continuation of the old REvil company that lost its reputation and will have to do a lot to recoup it.
REvil’s trap
REvil ransomware had a long run that started in April 2019 as a continuation of the GandCrab operation, the first to establish the ransomware-as-a-service (RaaS) model.
In August 2019, the gang hit multiple Texas local authorities and demanded a collective ransom of $2.5 million – the highest at the time.
The group is responsible for the attack on Kaseya’s supply chain that affected approximately 1,500 companies and led to their demise last year as law enforcement officers around the world stepped up their cooperation to take down the gang.
Shortly after hitting Kaseya, the gang took a two-month hiatus, unaware that law enforcement had breached their servers. When REvil restarted the operation, they restored systems from backups, oblivious to the compromise.
In mid-January, Russia announced it had shut down REvil after it identified all members of the gang and arrested 14 people.
“As a result of the joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal community ceased to exist, the information infrastructure used for criminal purposes was neutralized” The Russian Federal Security Service
In an interview with Rossiyskaya Gazeta, the deputy secretary of the Security Council of the Russian Federation, Oleg Khramov, said that the Russian law enforcement agency began its investigation into REvil under the name Puzyrevsky and an IP address provided by the United States as belonging to the main hacker. from the group.
At this point, the US has stopped cooperating with Russia on cybersecurity threats, especially attacks on critical infrastructure, as a direct result of the Russian invasion of Ukraine.
This post REvil’s TOR Sites Come To Life To Redirect To New Ransomware Operation
was original published at “https://www.bleepingcomputer.com/news/security/revils-tor-sites-come-alive-to-redirect-to-new-ransomware-operation/”