REvil Tor sites have come back to life
New leak site lists both past and new ransomware victims
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
TheTorsites of the infamousREvilransomware group have suddenly come back online following months of inactivity.
While the group tookdown all of its websitesand essentially shut down its operations back in September of 2021 before beingdismantled by Russia’s FSBat the beginning of this year, its sites on Tor now redirect to a newransomwareoperation that launched only recently.
Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022.Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at theend of this surveyto get the bookazine, worth $10.99/£10.99.
At this time, it is still unclear as to who or which group is behind this new operation but the new leak site contains a lengthy list of past REvil victims as well as two new ones.
According toBleepingComputer, security researchers pancak3 and Soufiane Tahiri recently spotted ads promoting the new REvil leak site on the Russian online hacking forum RuTOR. Despite the fact that the new site is hosted on a differentdomain, it still leads to the original one REvil used during its heyday.
Who’s running the new leak site?
As cybercriminals have started employing aRansomware-as-a-Service(RaaS) model, the newleak siteexplains that affiliates get an improved version of the REvil ransomware as well as a 80/20 split of all of the ransom payments collected.
When it comes to victims, the site features a 26-page list and while most of them are from previous attacks, the last two appear to be related to this new operation and one of which includes Oil India.
In November of last year when REvil’s data leak and payment sites were still under the control of the FBI, both sites showed a page with the title “REvil is bad” alongside a login form. Even though law enforcement seized the ransomware group’s sites, these redirects suggest that someone else has access to the Tor private keys that made it possible for them to make changes to the group’s .Onion site.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Russia says it has dismantled the REvil ransomware gang>Ransomware payments hit a new all-time high last year>IT workers believe ransomware is as serious as terrorism
Users on a popular Russian-speaking hacking forum have begun discussing whether the new leak site is a scam, ahoneypotset up by the authorities or a legitimate continuation of REvil’s prior business. To make matters more confusing, there are currently multiple ransomware operations that are using REvil’s encryptors or are outright impersonating the original group.
Once security researchers take a closer look at the new leak site, we may finally have some answers regarding whether or not the REvil ransomware group has magically come back from the dead.
ViaBleepingComputer
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
A new form of macOS malware is being used by devious North Korean hackers
Scammers are using fake copyright infringement claims to hack businesses
England vs Australia live stream: how to watch 2024 rugby union Autumn International online from anywhere
