The Tor sites of the infamous REvil ransomware group have suddenly come back online after months of inactivity.
While the group took down all of its websites and essentially closed its operations in September 2021 before being taken down by the Russian FSB earlier this year, its sites on Tor are now redirecting to a new ransomware operation that has not been launched only recently.
As of now, it’s still unclear who or what group is behind this new operation, but the new leak site contains a long list of former REvil victims as well as two new ones.
According to BeepComputer, security researchers pancak3 and Soufiane Tahiri recently spotted ads promoting the new leak site REvil on the Russian online hacking forum RuTOR. Despite the fact that the new site is hosted on a different domain, it still leads to the original one that REvil used in its heyday.
Who runs the new leak site?
While cybercriminals have started using a Ransomware-as-a-Service (RaaS) model, the new leak site explains that affiliates are getting an upgraded version of REvil ransomware along with an 80/20 split of all payouts from ransom collected.
As for the victims, the site offers a list of 26 pages and although most of them are from previous attacks, the last two seem to be related to this new operation and one of which includes Oil India.
In November last year, while REvil’s data leak and payment sites were still under FBI control, both sites displayed a page titled “REvil is bad” alongside a login form. Even though law enforcement has seized the ransomware group’s sites, these redirects suggest that someone else has access to the Tor private keys that allowed them to make changes to the group’s .Onion site.
Users of a popular Russian-speaking hacking forum have started discussing whether the new leaked site is a scam, a honeypot set up by the authorities, or a legitimate continuation of REvil’s previous activities. To make matters more confusing, there are currently several ransomware operations that use REvil’s encryptors or outright impersonate the original group.
Once security researchers take a closer look at the new leak site, we may finally have some answers as to whether the REvil ransomware group has magically returned from the dead.