REvil TOR sites back in action with new ransomware (RaaS) operations 

Has REvil re-emerged? That’s the question on everyone’s mind and the topic that’s got the cyber community talking. After months of silence, REvil, the infamous presumed Russian-based ransomware gang, seems to be back online as of last week, with a new leak site promoted on RuTOR. The hacker group’s old site, Happy Blog, has returned, and the list of the REvil’s victims includes two new names, raising eyebrows as to what is going on. 

Let’s dive into the details of what’s happening. 

REvil: A brief history of the group’s attacks

REvil began making a name for itself back in 2019, although some cyber experts believe REvil was originally an offshoot from a previous hacking group GrandCrab, which is no longer active. REvil uses a Ransomware as a Service (RaaS) model in which affiliates use its already-developed ransomware to launch attacks and share the ransom payment with REvil. 

One of REvil’s first major ransomware attacks was in May 2020. The group targeted prominent law firm Grubman Shire Meiselas & Sacks (GSMS), stealing a terabyte of sensitive data. They demanded $21 million, later increasing the fee to $42 million. GSMS refused to pay, and the hackers made much of the data available for purchase online. 

  • March & April 2021: The group hacked the London-based educational trust Harris Federation, publishing a slew of financial documents on its Happy Blog. An affiliate claimed to have downloaded data from Acer. It demanded a $50 million payment which later rose to $100 million. REvil stole plans for Apple and Lenovo products, again demanding $50 million.
  • June & July 2021: Over the next few months, REvil launched more shocking attacks. A ransomware attack forced JBS S.A. to shut down plants and operations, leading the company to pay the $11 million Bitcoin ransom. REvil then launched a supply chain ransomware attack through desktop management software Kaseya, which affected up to 1500 SMBs, asking for $70 million to restore stolen data. 

After the July 9th attack against HX5, a space and weapon-launch technology contractor that works with the U.S.’s armed forces, President Biden spoke to Russian President Vladimir Putin, insisting Putin take action against the group. REvil’s site and infrastructure disappeared on July 13th without any fanfare. 

Over the course of 2021, REvil attacked at least 360 US businesses and was responsible for 37% of all ransomware attacks. 

As the story goes, Russia’s FSB said they arrested and charged 14 REvil gang members in January of this year, stating the group had been dismantled. The FSB seized over $5.5 million and 20 luxury cars. 

Why is REvil back in the news now?

REvil’s TOR onion address from its original Happy Blog is live, redirecting people to a new site that details its old and latest victims: Oil India and Visotec Group. Oil India has said it was the victim of a ransomware attack on April 10th. Although an unnamed group demanded $7.5 million, investigators found Russian malware was used, so the finger is being pointed towards REvil. Visotec Group hasn’t disclosed any breach yet. 

It’s also worth noting that REvil’s old TOR payment domains redirect to its new site, which includes a recruitment page for affiliates who want to join its ranks. 

There is a lot of speculation as to why this supposed Russian gang is back online, but several theories have emerged as the frontrunners. 

Theory 1: Some cyber experts believe that a new group or previous members of REvil are trying to piggyback on the group’s reputation or rebuild it as they restart activities. 

Theory 2: Others posit that the FSB may have set up the new sites to entrap cybercriminals, but given that new victims have been added, this seems less likely. 

Theory 3: As it’s impossible to ignore the political situation triggered by Russia’s invasion of Ukraine and the West’s reaction, some cyber community members are suggesting that the Russian state itself actually sponsors REvil. 

What’s clear is that the RaaS currently being promoted on RuTOR is an updated version of REvil’s ransomware. 

What should businesses do now?

There are two truths businesses can count on: cyber gangs may come and go, but some will always be present, and threats are constantly looming. People get arrested and removed but their malware and, in this case, their ransomware, are alive and well to be reused and revamped. That means companies need to be vigilant and prepared. 

The best way to stay safe is to continually monitor your network so you can identify any malicious activity as soon as possible. If you suspect a real threat is lurking in your system, the next step would be to initiate a threat hunting project to determine what is happening. 

Sign Up for Updates