REvil reappearance may herald new ransom campaigns

The apparent return of the REvil ransomware syndicate amid the reactivation of its infrastructure and dark web leak site – known as the Happy Blog – has cast doubt on previous reports of the crew’s demise and may yet herald a renewed campaign of ransomware attacks in the coming months.

The syndicate dropped offline in mid-July in mysterious circumstances, prompting community speculation that the Russian authorities had pressurised the gang to scale back its activities in the wake of its high-profile attack on Kaseya, which downed multiple businesses by taking out their managed services providers.

Others theorised that there had been a falling out within the REvil organisation, or that the gang members had simply decided to cash out and “retire” REvil to concentrate on new projects, as they did once before.

The reactivation of REvil’s Happy Blog was picked up on by researchers from across the security community, including Emsisoft and Recorded Future. Multiple reports say the group’s payment portal is also once again available, and Bleeping Computer has confirmed that REvil attacks are currently taking place.

Exabeam chief security strategist Steve Moore said that as the reactivation of parts of REvil’s infrastructure appears to be a sign that the operation is back in business, it is only a matter of time before another significant attack.

“I encourage organisations to think about this two-fold,” said Baker. “First, they undoubtedly have their next software supply chain compromised. The technique began in espionage and has now been borrowed for criminal activity. This campaign hasn’t started yet – but will very soon.

“On the other hand, defenders should focus more on the missed intrusion and poor recovery options and less on ransomware. Ransomware is the product of being unable to detect and disrupt the cycle of compromise – period.”

Moore added: “Directly, REvil took time to refit, retool and take a bit of a holiday over the summer.  The fact that their sites are back online means they are, again, ready for business and have targets in mind.”

Talion security ops director Chris Sedgwick added: “Hacker groups disappearing when things heat up is something we have seen frequently in the past, with cases like Emotet or Anonymous. When groups do disappear, it is generally to buy some time and take the limelight off them from law enforcement agencies, and it rarely means they are disappearing for good.

“On the assumption that this is indeed the same threat group operating the infrastructure, we would expect to see a new ransomware variant from the group in the near future, but with much more carefully selected victims to keep the media and government attention off them as much as possible.”

Besides Kaseya, the REvil gang – also known as Sodinokibi – and its affiliates have been behind some of the most impactful ransomware attacks of the past two years, with victims including US meat supply firm JBS, Taiwanese PC-builder Acer, a New York law firm with celebrity clients including singers Nicki Minaj and Mariah Carey, and foreign exchange services provider Travelex, which ultimately went bust as an indirect result of an early REvil attack at the end of 2019.

These efforts are thought to have netted those behind REvil at least $100m and possibly more.

Even if there is another explanation behind the apparent re-emergence of REvil, security teams should use this time to take stock of their cyber security posture and ransomware response plans. More guidance on effective ransomware defences is available from the UK’s National Cyber Security Centre.