REvil’s TOR Sites Are Back With New Ransomware
The Servers Have Returned to Service After Months of Inactivity.
Discovered in April 2019, the REvil/Sodinokibi ransomware (AKA Sodin) is a highly evasive ransomware that encrypts files and deletes the ransom request message after infection. The message informs the victim that a bitcoin ransom must be paid and that if the ransom is not paid on time, the demand will double.
REvil is a perfect example of Ransomware-as-a-Service, a cybercrime that involves two groups teaming up for the hack: the code authors who develop the ransomware and the affiliates that spread it and collect the ransom. This aspect makes Sodinokibi ransomware dangerous for companies of all sizes. Also known as Sodin or REvil, Sodinokibi shortly became the 4th most distributed ransomware in the world, targeting mostly American and European companies.
The REvil ransomware’s servers on the TOR network have returned to service after months of inactivity, redirecting to a new operation that seems to have begun at least as recently as mid-December last year.
The new leak site has a long list of victims from previous REvil assaults, as well as two new victims. It is unknown who is behind the new REvil-connected operation.
On RuTOR, a forum marketplace that focuses on Russian-speaking countries, security researchers pancak3 and Soufiane Tahiri discovered that a new REvil leak site was being pushed.
After successfully locking Oil India, the #ransomware group trying to impersonate REvil (or maybe REvil ?!) added a new victim to their blog:Visotec Group.
I’ll be calling them useransom.187201 until an “official” name is given to them.@ValeryMarchive @SOSIntel @ransomwaremap pic.twitter.com/6HMvQ8522j
— Soufiane Tahiri (@S0ufi4n3) April 20, 2022
Who uses RUTOR for ransomware adverts?
“The same proven (but improved) software” lol pic.twitter.com/RbEUbatYOL
— pancak3 (@pancak3lullz) April 19, 2022
Despite the fact that the new site is housed on a different domain, it redirects to the previous one that REvil used while it was active, according to BleepingComputer, who also validated the redirect.
A detailed description of the terms for affiliates is provided on the leak site. According to the site, affiliates will get an updated version of the REvil ransomware as well as an 80/20 split of any ransom collected by affiliates.
It seems that only the final two pages of victims are linked to the current operation. The site lists 26 pages of victims, the majority of whom are from previous REvil assaults.
How Can Heimdal™ Help?
Prevention is the most effective cybersecurity technique because it protects your important assets from being compromised in the first place. In order to avoid data loss and exfiltration, your firm needs effective cybersecurity solutions such as Heimdal Ransomware Encryption Protection, which prevents ransomware encryption attempts and so protects you against data loss and exfiltration.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.