Introduction
Back in January 2022, a ransomware group dubbed REvil was raided and arrested by Russian FSB forces. They took fourteen of the members into custody, in addition to confiscating assets critical to their operation. All of this resulted in the rest of the REvil team going dark, and they haven’t been heard from since.
Until now. In April, three months after the arrest of some of its members, the REvil group appears to be back from the dead.
What Happened Back Then?
REvil is short for Ransomware Evil, a Russian group selling ransomware-as-a-service. It’s basically packaged malware that other criminals can buy and unleash on their targets. These kits sell for as little as $10 on the dark marketplace up to thousands for complex code, 24/7 customer service and a lot of other perks you would receive from a legitimate business.
Back when REvil was initially active, businesses all around the world were targeted with this kind of malicious data theft. In 2021, over 360 U.S. targets were hacked, extorted and blocked from their own files until they paid double extortion (once to decrypt their information and then an additional fee to stop the thieves from leaking all that data to the public). The attack executed against Kaseya, a popular software company, led to the infection of over 1,500 organizations globally during a busy Fourth of July weekend.
In its prime, REvil was responsible for a series of publicized attacks. However their main, digital hub of operation went offline in October, months before arrests within the group took place. In January, when it was announced that members of the criminal organization had been taken into custody, victims and worried bystanders alike hoped that it would be the end of all their REvil nightmares.
What’s Happening Now?
Russian officials shut down the old website that leaked the victims’ data, but now it appears to have rebranded and redirects to a new domain. Deep in the Dark Web, REvil’s new website appears to be up and running as strong as before. Victims from both the original REvil group, as well as new ones that have been targeted since then, have information leaked on their new site (they run a blog about their latest ‘accomplishments’), indicating that this is indeed the same criminal team back from the dead.
The reestablishment of their online infrastructure is already raising concerns for potential targets with a lot of profit and private data to lose. Meanwhile, the group’s rebranded website also includes a bid to recruit new members. They appear to have shutdown just to regroup.
How to Fight Ransomware
Dealing with a ransomware attack is never fun. If you can, shoring up safeguards to prevent the initial breach is the most effective way to preserve your revenue and workflow in the long run.
Tips for dealing with ransomware include:
- Never pay the ransom! Report the breach to your appropriate security team and follow company protocols as you’ve been directed in your security awareness training
- Backup data regularly
- Check that your backup storage is accessible, recoverable and readable on a regular basis
- Download new updates as they come out, because they will have the best defenses against malicious trackers and breaches
- Don’t give out personal information online
- Be wary of links from unknown sources or senders
Ransomware is a rising threat, and the resurgence of the REvil group shows how difficult it can be to shut down threat actors forever. However, following these safety tips and staying up-to-date on how to prevent breaches is one way to keep cybersecure and protected against ransomware on a daily basis, so you can get back to (securely) browsing the web.
References
- https://www.scmagazine.com/analysis/ransomware/revil-ransomware-group-returns-after-14-of-its-members-were-arrested-in-january
- https://www.nbcnews.com/tech/tech-news/russian-speaking-ransomware-gang-goes-offline-rcna1403
- https://www.itpro.co.uk/security/ransomware/367455/revil-ransomware-groups-infrastructure-comes-back-online-hinting-at
- https://usa.kaspersky.com/resource-center/threats/how-to-prevent-ransomware