Sep 13, 2021

Just a few months ago, the REvil ransomware group seemed to be everywhere—in a frenetic burst of activity the group’s crime spree included attacks on the likes of JBS , Travelex and Kaseya . And then—nothing. After drawing heat from law enforcement after the devastating Kaseya attack, REvil dropped out of sight on July 13, 2021 leaving a lot of anxious victims without a decryptor to release their encrypted files. But now, after months of speculation over whether the group had made its final exit or was simply doing business under another name, REvil has made what Satnam Narang, a researcher at Tenable, calls an unprecedented return. “Typically, when ransomware groups and their associated leak websites go offline, they either shut down their operations on their own and often provide decryption keys, or law enforcement has shut down their operations,” said Narang. “After all of the attention REvil received following the Kaseya attack, REvil’s exit was abrupt and led to tons of speculation. The entire community was wondering whether or not they would rebrand and return under a new ransomware moniker. REvil’s return is therefore unprecedented.” Indeed, Narang said, “We haven’t seen this happen in this fashion before.” But the industry was rife with reports that “the DarkSide ransomware group has re-emerged as BlackMatter, with new branding and a new set of rules,” he explained. “What connects the two, though, is the actual ransomware itself that’s almost the same as another.” The first hints that REvil might be back was the return of its Happy Blog and Tor payment site, among others, which it has used in the past to detail its exploits, leak information and arrange ransom payments. Shortly after, a new REvil ransomware appeared on Virus Total along with online claims by the group on a Russian hacking forum that they’ve executed additional attacks. REvil’s reemergence doesn’t bode well for potential targets. “REvil isn’t the only ransomware-as-a-service (RaaS) group in town. There are many that are in this space, but REvil is a  well-oiled machine, so they have built up a lot of credibility and trust with affiliates,” said Narang. “This means we should expect to hear about new attacks and, subsequently, new victims.” But just how REvil will proceed going forward is anyone’s guess—though it appears it will be without their representative “Unknown.” It seems a new representative, simply called “REvil,” has taken Unknown’s place. “It is still unclear what REvil’s future holds. Whether this resurgence is the beginning of a full-fledged return to operations remains to be seen,” said Narang. “It is certainly possible that REvil is gearing up for another phase of attacks.” Even though there are plenty of competitors “in this space gaining notoriety,” said Narang, “REvil is one of the premiere ransomware-as-a-service operations and they will likely return to prominence in due time.” The group’s evolution also reflects a shifting ransomware landscape where double extortion and data exfiltration have risen to prominence. “In the future, it wouldn’t be surprising to see many ransomware groups shift tactics and move to a full operation of just exfiltrating stolen data and threatening to leak it,” said Narang. Additionally, ransomware groups are finding new ways to put pressure on their victims, from performing DDoS attacks against their public-facing websites to contacting companies that do business with the victims to put added pressure on them to pay the ransom, he said, noting that ransomware groups are also trying to influence insiders to deploy ransomware within their organizations by promising million-dollar payouts. “In the world of cybercrime, ransomware isn’t just part of the game, it has become the game,” he said. Recent Articles By Author