REVIL Gang Is Back to The Dark Web: There's Need to Panic
The notorious ransomware gang, REvil, is back to the dark web. The darknet is a hidden segment of the internet. You can only access the dark web via special networks like Tor. The group went off the dark in July amid pressure from the U.S. government on Russia. The U.S. government pushed Russia to act on ransomware groups operating within its borders.
In July, the group's darknet (.onion) and clearnet (decoder.re) websites went dark. Nobody knows how and who took down the websites. For the First time, the group took down all customer-facing infrastructure. These include chat rooms, payment portals, and informational extortion pages.
Even so, the REvil group dissolved under pressure and reformed in its history. The ransomware group started as the GandCrab group. The group went on a ransomware frenzy in 2018. They mainly targeted healthcare vendors and supposedly gained $2 billion in revenue. And with their second comeback, it is like they are a phoenix.
What Caused the Takedown of The REvil Gang?
The REvil group, also dubbed Sodinokibi, has been in operation for a while. Before its disappearance, the infamous ransomware group masterminded dozens of attacks. Their last attack before going dark is one of the greatest. REvil targeted organizations using information technology management software from Kaseya Ltd. This might be the attack that made them disappear.
The Kaseya attack began with a supermarket in Switzerland. After that, it spread to thousands of businesses. Later on, the REvil group asked for $70 million in Bitcoin as ransomware payment. They promised to provide a decryption key for the victim's files after the payment.
The extent of the attack drew the attention of the U.S. government. So, the government threatened to act against Russia if the ransomware attack linked to them. Accordingly, Kaseya got a master decryptor for its attack victims after REvil went offline. Still, the company didn't mention how it obtained the decryptor. Moreover, Kaseya refused to say if it made the ransom payment.
REvil’s Attack On JBS
Additionally, the REvil group also attacked JBS computers. This forced the world's largest meatpacking company in the U.S. to shut down for a day. The attack disrupted operations in the U.S. and Australia. The REvil gang demanded $11 million to undo the attack. JBS paid the demanded ransom, and the group undid the attack.
REvil's Comeback to The Dark Web
According to Bleeping Computer, "Happy Blog" has resurfaced in the black market. This is the blog used by the REvil gang to communicate. The last activity on the blog was July 8, five days before the site went dark. Does this indicate that the REvil gang is back in the black market? We leave that open to speculation.
Adam Flatley, director of threat intelligence at Redacted Inc., talked about the blog's reappearance. Adam told SiliconANGLE that there is a lot of wrong information out there. Furthermore, he said that people are rushing to post false information. Adam added that there is no evidence of new attacks or new malware samples. So, people should double-check their facts before rushing to post them.