SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Infamous criminal ransomware group REvil is back
Thu, 9th Sep 2021
FYI, this story is more than a year old

Following the sudden shutdown of the REvil ransomware groups operations and infrastructure in mid-July, security researchers have confirmed that the cybercrime syndicate is back online.

The operators behind the criminal ransomware group have resurfaced after allegedly closing shop following the widespread attack on Kaseya that caused thousands of victims in early July. Reports say sites used by the infamous group have mysteriously come back to life.

According to various cybersecurity firms and the U.S. government, the REvil group operates from Russia. An attack on giant Brazilian meat supplier JBS saw the company eventually pay an $11 million ransom after it was attacked by the group.

REvil runs a website called the “Happy Blog,” where it publishes samples of data stolen before locking companies out of their own networks.

According to reports, the newest entry was from a victim who was attacked on 8 July. Security researchers from Recorded Future and Emsisoft also confirmed much of the group's infrastructure was back online.

Steve Moore, chief security strategist, Exabeam, says REvil is already very likely a reincarnation of a previous group.

"After all, adversaries' talent and confidence is stronger after prior successes. I encourage organisations to think about this two-fold," he says.

"First, they undoubtedly have their next software supply chain compromised. The technique began in espionage and has now been borrowed for criminal activity; this campaign hasn't started yet but will very soon," Moore says.

"On the other hand, defenders should focus more on the missed intrusion and poor recovery options and less on ransomware. Ransomware is the product of being unable to detect and disrupt the cycle of compromise period," he explains.

"Directly, Revil took time to refit, retool, and take a bit of a holiday over the summer. The fact their sites are back online means they are, again, ready for business and have targets in mind."

Ransomware expert Allan Liska told ZDNet that most people expected REvil to return, but with a different name and a new ransomware variant.

"Things definitely got hot for them for a while, so they needed to let law enforcement cool down," he said.

"The problem (for them) is, if this is really the same group, using the same infrastructure, they didn't really buy themselves any distance from law enforcement or researchers, which is going to put them right back in the crosshairs of literally every law enforcement group in the world (except Russia's)."