Pursued by US authorities after their attacks on JBS and Kaseya companies, the REvil gang seemed to be gone for good. But against all odds, he reappeared in early September. Bad news for the cybersecurity world.
REvil, one of the most feared and most active ransomware since 2019, had disappeared on July 13, 2021. The gang had chained cyberattacks of unprecedented magnitudes in quick succession, to the point of triggering official action on the part of the US government.
Any sign of its existence had then disappeared from the web:
- “Unknown” or UNKW (for “unknown”, editor’s note), the public alias of REvil on hacker forums, no longer existed.
- The group’s infrastructures were no longer online, whether it was the extortion display blog (nicknamed “Happy Blog”), the negotiation site or the one where the “decryptors” can be recovered, once the ransom has been paid. .
- For two months, no new victims of the group have declared themselves.
After two months without a sign, the absence seemed registered, and other gangs had even launched themselves to resume the juicy activity abandoned by REvil. The reason for the disappearance remained – and still remains – unclear: justice has not communicated on any arrests or seizures, and members of the organization have walled in silence.
But at the beginning of September, the Bleeping Computer, referent on the news of the ransomware, gradually gathered all the evidence of an astonishing return of activity of REvil. First, its sites are back online, identical to before its disappearance. Then, a victim declared himself on September 9, for an attack detected 5 days earlier. Finally, the gang spoke again on the Russian forums, but under the alias “Revil”, the account “Unknown” having disappeared, it seems for good.
This comeback is terrible news for the cybersecurity world. Over the past two years, REvil (also known as Sodinokibi) has stood out for its ability to recruit more competent affiliates (“partner” hackers who launch cyber attacks ”). This advantage allows it to attack the world’s largest organizations, and thus demand ransom demands that can amount to tens of millions of dollars.
Disappeared after brilliant shots
The majority of experts did not expect the gang to return, or at least not in this form. Usually, cybercriminals tend to create a new “brand” when their group has been compromised. They rework the code of their tools, recruit new associates and separate from old ones: a way to create a blank page and no longer be attached to past crimes. But REvil decided to pretend that the two-month shutdown didn’t exist. He resumed the extortions that were underway in July, and even published victim data on his dedicated site.
At the end of May, REvil made the mistake of hitting the food giant JBS in the days after the Colonial Pipeline attack. This highly publicized coup by the rival gang Darkside had mobilized President Joe Biden himself, and this same treatment was applied to the JBS attack.
Kaseya’s decryptor, mystery to be solved
Shortly thereafter, on July 2, 2021, REvil stood out again, this time with a momentous blow in ransomware history. The cybercriminals had acquired an unknown vulnerability present in one of Kaseya’s software, named VSA. It had enabled them to infiltrate the networks of 60 clients, who themselves looked after the networks of 1,500 companies. In other words, from a single attack, REvil had claimed thousands of victims. He demanded $ 70 million – the biggest ransom in history – for the delivery of a “decryptor”, a tool supposedly capable of reversing the damage caused by its ransomware.
Ten days later, the gang disappeared, without the victims having been released. But again 10 days later, this famous decryptor ended up in Kaseya’s hands, provided by ” a trusted third party », Which made it possible to decipher the victims’ networks for free. It is not yet known whether one of the gang’s operators released the decryptor for free to calm the authorities, or whether they managed to obtain it directly from the cybercriminals’ infrastructures. Either way, REvil is back, and the threat it poses will be watched closely.