9554622473?profile=RESIZE_400xOur friends at several cyber media outlets are reporting that the operators behind the REvil ransomware-as-a-service (RaaS) is back.  In a surprise return, REvil reappeared after a two-month break following the widely publicized attack on technology services provider Kaseya on 4 July 2021.  In fact, Red Sky Alliance analysts observed its return this past week.

Two of the dark web portals, including the gang's Happy Blog data leak site and its payment/negotiation site, have reappeared online, with the most recent victim added on 8 July, five days before the sites mysteriously went off the grid on 13 July.  It is not immediately clear if REvil is back in the game or if they have launched new attacks.[1]

"Unfortunately, the Happy Blog is back online," Emsisoft tweeted on 7 September. 

The development comes a little over two months after a wide-scale supply chain ransomware attack aimed at Kaseya, which saw the Russia-based cybercrime gang encrypting approximately 60 managed service providers (MSPs) and over 1,500 downstream businesses using a zero-day vulnerability in the Kaseya VSA remote management software.

In late May of this year, REvil also organized the attack on the world's largest meat producer JBS, forcing the company to shell out $11 million in ransom to the extortionists to recover from the incident.  Yes, the Food Supply Chain is now on the hacker’s radar screen.

After these ransomware attacks and the subsequent increase in international scrutiny, the hacker group took its dark web infrastructure down.  This lead to assumptions REvil may have temporarily ceased operations with the goal of rebranding under a new identity so as to attract less attention.

REvil, also known as Sodinokibi, emerged as the fifth most commonly reported ransomware strains in Q1 2021, accounting for 4.60% of all submissions in the quarter, according to statistics compiled by Emsisoft.


Figure 2. Happy_Blog

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and is tracking close to 70 dark web forums and sales sites.  In fact, our analysts saw REvil’s return on 8 September.  Your stolen company or personal identities could be in the dark web to provide an avenue for future hacking activity.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com  

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings


[1] https://thehackernews.com/2021/09/russian-ransomware-group-revil-back.html

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance