Monday 13th September 2021

BLOG: The Return Of REvil

Following an abrupt departure for two months, several of the dark-web servers belonging to REvil came back online recently, The REvil led blog ‘Happy Blog’ also reemerged alongside their TOR servers. An alleged representative of the notorious REvil ransomware gang has started engaging with members on a cybercrime forum and began sharing details about the group’s apparent re-emergence. REvil’s hiatus came after orchestrating the July Kaseya breach attacks, which saw REvil encrypt 60 managed service providers and over 1,500 businesses using a zero-day vulnerability in the Kaseya VSA remote management platform. The group demanded $50 million for a universal decryptor for all Kaseya victims, $5 million for an MSP’s decryption, and a $44,999 ransom for individual file encryption extensions at affected businesses. This attack was one of the largest attacks to date and had such wide-stretching consequences worldwide that it grasped the attention of international law enforcement to bear on the group. Previously the group was responsible for, an attack on the world’s largest meat producer JBS, forcing the company to pay $11 million in ransom to the extortionists to recover from the incident in late May.


This then led to its properties on both the dark web and normal web went offline. This disappearance fuelled the assumption that the group may have been hit by law enforcement agencies, especially since the emergence of a universal decryptor key to help all victims unlock their machines. The REvil representative did not provide any explanation regarding the departure of the group and didn’t mention that the group was able to restore their operations from backup.


The group has started to restore its online properties. Cybersecurity professionals alleged that REvil were trying to rebuild their status and character with former associates and allies, who were allegedly displeased with REvil’s sudden disappearance. Alongside this, cybersecurity professionals also claimed that on the forum in which REvil announced their comeback, a threat actor opened an arbitration case against the REvil spokesperson for unpaid fees from an earlier operation, but soon marked it as resolved, which perhaps indicates that REvil has cleared its dues.
The notorious REvil gang said the universal decryptor key for all victims of the Kaseya ransomware attack was accidentally released to victims by a coder. The representative for the group said “Our encryption process allows us to generate either a universal decryptor key or individual keys for each machine,” REvil wrote Friday morning on an illicit Russian-language forum called Exploit. “One of our coders misclicked and generated a universal key, and issued the universal decryptor key along with a bunch of keys for one machine”


REvil said it had to generate between 20 and 500 decryption keys for each of the roughly 1,500 customers compromised in the Kaseya ransomware attack since all the victims had networks of different sizes. The sheer volume of keys led to a mistake where victims who paid the ransom found the universal decryptor key had been released among the individual decryptor keys relevant to their organisation. It is claimed that when victims of REvil unearthed the universal decryptor key, it was forwarded to Kaseya and relevant law enforcement agencies. REvil said that the Kaseya universal decryptor key was leaked by law enforcement agencies due to human error during the key generation process.


REvil clarified a few things that the cybersecurity community has been wondering, the representative stated, “The payments totalled over 10kk” and “No one was scammed. We are in contact with our affiliates, we aren’t hiding anything”. ‘10kk’ is believed to be another way of saying more than $10 million. It isn’t evident whether this statement is referring to payments made by victims of the Kaseya ransomware attack to REvil or another REvil orchestrated attack.
An alleged representative of REvil said on Exploit Thursday that the ransomware gang has managed to come back online using their backups.


Information presented by any ransomware gang should be treated with immense suspicion and it is important that all stay vigilant surrounding these things.

Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.