The notorious REvil ransomware group, which went dark in July, has reemerged on underground forums and is attempting to reestablish ties with its former affiliates to begin operations again.
REvil is a ransomware-as-a-service group that had been operating for several years before drawing a large amount of unwanted attention this summer with the intrusion at software makers Kaseya. That attack resulted in nearly 1,500 companies that use Kaseya’s VSA remote administration service being infected with ransomware and Kaseya taking the service offline for several days. The incident caught the attention of not just law enforcement, but also the Biden administration. The REvil group is believed to operate from Russia, and President Biden raised the issue of ransomware and cybercrime groups in Russia with Russian President Vladimir Putin in talks after the Kaseya incident.
Following the Kaseya attack, REvil’s operators dropped off the underground forums where they communicated with affiliates and the group’s infrastructure was taken offline. But last week, researchers discovered posts from apparent REvil operators on Exploit, a well-known forum, explaining that the group was back.
“For all intents and purposes, it appears that REvil is fully operational after its hiatus. Evidence also points to the ransomware group making efforts to mend fences with former affiliates who have expressed unhappiness with the group’s disappearance,” researchers at Flashpoint wrote in an analysis of the posts.
“Two days prior, on September 7, the REvil leaks blog known as Happy Blog, went back online after a two-month hiatus. REvil is also allegedly back on Exploit under a new alias, ‘REvil’.”
The Kaseya incident brought quite a bit of attention to the ransomware problem in general and REvil’s operations specifically. Law enforcement agencies in the United States and Europe have been focusing intently on disrupting ransomware groups, their infrastructure, and their payment ecosystems for some time. But the Kaseya intrusion, coupled with the ransomware attack on Colonial Pipeline in May, led to a new level of interest from the Biden administration, which has formed a ransomware task force and created a new Joint Cyber Defense Collaborative (JCDC) to share resources with and cooperate with private sector companies to combat ransomware.
But the two main issues that make ransomware groups such as REvil successful still remain: the payment ecosystem and the political cover they receive in countries such as Russia and North Korea. Addressing those issues will take time and solutions in the technical and policy arenas, both of which are difficult and complicated. How that plays out remains to be seen, but for the time being the reemergence of REvil brings another player onto an already crowded board.