REvil Ransomware Group Resurfaces Over Labor Day Weekend

REvil, the ransomware group behind the JBS meat supplier and massive July 4^th Kaseya attacks, reportedly resurfaced over the U.S. Labor Day weekend.

Shortly after what is still considered the largest ransomware attack in history, the Russia-based REvil ransomware gang seemingly disappeared into thin air with media outlets reporting their infrastructure and websites going offline on July 12. These sites included the group’s negotiation and payment site, public forum and contact chat (if this sounds like a business website, it’s because it is in many aspects despite the illegal nature of the operations).

Many experts cited the fact all of their sites being shut down simultaneously was unusual and speculated the gang may have erased their servers due to a supposed government subpoena. Additionally, their XXS administrator banned a user known as “Unknown” from their hacking forum – a user which was believed to have been their public-facing representative of the gang. While there was a brief sigh of relief when their servers disappeared, this ended the ability for those negotiating for their data to contact the group.

Following the abrupt disappearance of their digital footprint, experts who were curious when the gang would resurface did not have to wait long as associated dark web servers for their websites resurfacing over the U.S. Labor Day weekend, including the Happy Blog. This site is where REvil publishes samples of stolen data before locking victims out of the networks and starting the ransomware negotiations. Another portal REvil uses to negotiate payment was also reactivated, although no new activity has been reported.

So why has REvil seemingly reappeared and what’s next?

First, there were very few who thought the gang had disbanded permanently. With a string of high profile victims including U.S. meat supplier JBS, Apple manufacturer Quanta and the now infamous July 4^th Kaseya ransomware attack, REvil was one of the top targets of the Biden Administration, who promised to shut down their servers if the Russian government would not act. There was never an official statement from either side, but many speculated that either the White House had delivered on their promise or REvil went into hiding with all of the heat on them.

Another possible explanation is that they were simply on vacation No, really. Like those of us in the workforce, ransomware groups are known to slow down during the summer months and focus on “getting back to work” in the fall and holiday season. Alternatively, there are some that think the sites being reactivated are actually being controlled by law enforcement or the reactivation is simply an accident – this are best case scenario in many views for obvious reasons.

If the servers being activated again are not law enforcement or accidental, the re-emergence of their online presence is plenty cause for alarm based on their track record and a developing story to monitor moving forward.

Related Articles

• Jen Easterly Named Director of the Cybersecurity and Infrastructure Security Agency
• Largest Ransomware Attack on Record Hits During the U.S. Holiday Weekend
• US Lawmakers Look to Set Federal Cyber Breach Alert Standard

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].

In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.