Heimdal
article featured image

Contents:

After a nearly two-month hiatus, the REvil ransomware actor’s dark web servers have mysteriously come back online. At the moment, it is unclear whether the REvil gang started operations again or if law enforcement turned on the servers.

Massive Ransomware Attack Conducted by the REvil Group

In July, we announced that a supply chain vulnerability was successfully exploited by cybercriminals to target thousands of businesses through the initial infected host. The entry point was the Managed Service Provider (MSP) Kaseya VSA, a cloud-based platform that allows its customers to perform patch management and client monitoring.

This led to the most significant ransomware attack in history. The data of 60 customers, plus around 1,500 downstream businesses have been impacted by the attack.

REvil gang initially decided that the price for decrypting all systems would be $70 million in Bitcoin in exchange for the tool that allows all affected businesses to recover their files, but later dropped the price to $50 million.

The REvil Ransomware Group Mysteriously Disappears

The interesting part is that a few days after the attack, the REvil ransomware gang mysteriously disappeared. According to ransomware experts, the attackers’ payment site, the public site, the ‘helpdesk’ chat, and their negotiation portal went offline July 13th at approximately 01:00 AM EST, which is 08:00 AM Moscow time.

Some security experts believe the gang may have shut down their own websites due to internal disagreements or fear related to increased law enforcement attention.

Following the Kaseya attacks, the White House warned that the USA would take action themselves if Russia did not act upon threat actors in their borders.

We still don’t know what really happened with the gang but their decision to disappear certainly impacted the victims who wanted to negotiate in order to receive a decryption key for their encrypted files.

Kaseya Managed to Get a Decryption Key

After the gang’s disappearance, Kaseya declared that it obtained a universal decryptor for the ransomware attack from a “trusted third party” and now is distributing it to the impacted customers.

Security experts believe Russian intelligence obtained the decryption key from the threat actors and sent it to the FBI to show their good intentions.

REvil Ransomware Gang’s Servers Online Again

Both REvil’s Tor ‘Happy Blog’ data leak site and the Tor payment/negotiation site came back online yesterday. According to BleepingComputer, REvil’s latest victim was added to their data leak site on July 8th, 2021, just five days before the gang’s mysterious disappearance.

REvil ransomware's servers back online

 

Source

Unlike the data leak site, which is up and running, the Tor negotiation site does not appear to be fully functional yet, as victims are unable to log in.

REvil ransomware's servers back online

Source

At the time of writing, the REvil’s site decoder[.]re is still offline.

Author Profile

Antonia Din

PR & Video Content Manager

linkedin icon

As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo