[BreachExchange] REvil ransomware's servers mysteriously come back online
Sophia Kingsbury
sophia.kingsbury at riskbasedsecurity.com
Wed Sep 8 08:33:09 EDT 2021
https://www.bleepingcomputer.com/news/security/revil-ransomwares-servers-mysteriously-come-back-online/
The dark web servers for the REvil ransomware operation have suddenly
turned back on after an almost two-month absence. It is unclear if this
marks their ransomware gang's return or the servers being turned on by law
enforcement.
On July 2nd, the REvil ransomware gang, aka Sodinokibi, used a zero-day
vulnerability in the Kaseya VSA remote management software to encrypt
approximately 60 managed service providers (MSPs) and over 1,500 of their
business customers.
REvil then demanded $5 million from MSPs for a decryptor or $44,999 for
each encrypted extension at the individual businesses.
The gang also demanded $70 million for a master decryption key to decrypt
all Kaseya victims but soon dropped the price to $50 million.
After the attack, the ransomware gang faced increasing pressure from law
enforcement and the White House, who warned that the USA would take action
themselves if Russia did not act upon threat actors in their borders.
Soon after, the REvil ransomware gang disappeared, and all of their Tor
servers and infrastructure were shut down.
To this day, it is not clear what happened, but it left ransomware victims
who wished to negotiate unable to do so and without the ability to restore
files.
Mysteriously, Kaseya later received the master decryption key for the
attack victims and stated it was from a trusted third party. It is believed
that Russian intelligence received the decryption key from the threat
actors and passed it along to the FBI as a gesture of goodwill.
REvil infrastructure suddenly turns back on
Today, both the Tor payment/negotiation site and REvil's Tor 'Happy Blog'
data leak site suddenly came back online.
The most current victim on the REvil data leak site was added on July 8th,
2021, just five days before REvil's mysterious disappearance.
Unlike the data leak site, which is functional, the Tor negotiation site
does not appear to be fully operational yet. While it shows the login
screen, as seen below, it does not allow victims to log into the site.
The gang's http://decoder.re/ is still offline at this time.
It is unclear at this time whether the ransomware gang is back in
operation, the servers have been turned back on by mistake, or it is due to
the actions of law enforcement.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210908/cce334e3/attachment.html>
More information about the BreachExchange
mailing list