Data Security

REvil ransomware gang is back after disappearing amid Kaseya attack

The official .Onion website of REvil ransomware gang is back online while its chat platform and clearnet site is still offline.


The official website of the REvil ransomware gang (aka Sodinokibi) which is accessible through the Tor browser is back online after mysteriously going offline in July 2021.

It is yet unclear whether the original group has resurfaced or its cyber infrastructure is being used by law enforcement authorities as part of a honeytrap.

However, last week Hackread.com reported on a series of large DDoS attacks on two Internet and Telephony Service Providers (ITSP) in the United Kingdom. In a statement, Comms Council UK, a body that supports and represents telecom firms in the country, said that both attacks were carried out by the REvil suggesting that the gang is carrying out unannounced attacks.

It is worth noting that on July 13th, 2021, the official website of the REvil group along with its chat and payment gateways went offline. Reportedly, the temporary demise of the group happened due to mounting pressure from the United States government after the gang’s large-scale cyberattack against Kaseya, a software company located in the U.S.

As of now, Hackread.com can confirm that REvil’s Tor website is back online while its chat platform used for negotiating with victims for ransomware attacks and its clearnet site decoder.re were offline.

REvil ransomware gang’s website (Image credit: Hackread.com)

In a conversation with Hackread.com, Steve Moore, chief security strategist at Exabeam, warned about REvil’s reappearance stating that:


“REvil is already very likely a reincarnation of a previous group. After all, adversaries’ talent and confidence is stronger after prior successes. I encourage organizations to think about this two-fold.”

“First, they undoubtedly have their next software supply chain compromised. The technique began in espionage and has now been borrowed for criminal activity; this campaign hasn’t started yet – but will very soon,” said Moore.

“On the other hand, defenders should focus more on the missed intrusion and poor recovery options and less on ransomware. Ransomware is the product of being unable to detect and disrupt the cycle of compromise – period,” Moore advised. 

“Directly, Revil took time to refit, retool, and take a bit of a holiday over the summer.  The fact their sites are back online means they are, again, ready for business and have targets in mind,” warned Moore.

REvil means bad news

For those unaware of REvil’s activities; the group is known for targeting high-profile businesses and organizations. According to its website, the group is behind hundreds of cyberattacks including:

1. Acer

2. Kaseya

3. Quanta

4. MasMovil

5. Sol Oriens

6. State Bank of Chile


Basic security against ransomware attacks

Regardless of which industry you are connected to there are basic steps to avoid ransomware attacks. These includes:

  • Installing anti-virus software and keep it updated
  • Regularly scanning your network for vulnerability (especially 0-days)
  • Always keeping the firewall activated on the browser
  • Never sharing your personal information or any sensitive data online unless you are sure of the authenticity of the platform
  • Never click on suspicious links or pop-ups that claim how your system is infected with malicious programs, and you need to ‘click’ to clean up.
  • Keeping a backup ready, in case your data gets lost
  • Saving your data in the cloud, it safeguards your files and makes data recovery easier.
  • Keeping the operating system and other crucial applications on your computer up to date.

Comments
To Top

Pin It on Pinterest

Share This