Generally known as Sodinokibi, the infamous REvil ransomware-as-a-service (RAAS) enterprise was accountable for a collection of excessive profile assaults towards the likes of the world’s greatest meat provider JBS Meals and IT service agency Kaseya.
Nevertheless, it seemed like its actions had come to a halt after regulation enforcement businesses pushed REvil offline in October 2021, and Russia reportedly arrested 14 of the gang’s members earlier this 12 months.
So some will view new exercise linked to REvil’s ironically-titled “joyful weblog”, the place it introduced its hacks towards companies and leaked knowledge, with comprehensible disappointment.
As Bleeping Laptop stories, researchers have noticed that the TOR tackle used for REvil’s leak website is now redirecting to a brand new web site, with details about seemingly new assaults.
Amongst these listed as having fallen foul of hackers is Oil India, which final week disclosed it had suffered a safety breach which required it to shut down its laptop programs.
The weblog posted by the supposed perpetrators threatens to begin publishing exfiltrated knowledge – together with contracts, consumer info, and messaging chats – except Oil India continues its negotiations.
Many of the different victims listed on the webpage relate to previous REvil ransomware assaults.
In the meantime, a “Be a part of us” web page written in Russian explains how criminals can request to change into an affiliate, providing advantages such because the “identical confirmed (however improved) software program” and an 80/20 break up of ransoms collected.
Some could also be extra cautious than regular, in fact, of turning into a ransomware affiliate – given proof uncovered previously that REvil had no qualms about scamming its fellow cybercriminals.
So, is that this newest growth proof that the REvil group is again in operation, or has a brand new ransomware-as-a-service operation in some way managed to grab management of REvil’s outdated website and level it to their very own pages?
Or is it attainable that this the brand new website is working as a honeypot, attempting to assemble details about these concerned about turning into ransomware associates, accumulating intelligence for regulation enforcement businesses?
For now there are not any clear solutions, and the pages themselves don’t provide a lot in the best way of clues – failing to make any claims about whose banner they is perhaps working.
What’s particular is that no organisation ought to relaxation on its laurels in the case of defending itself from assault, and take steps now to scale back the possibilities of being the subsequent sufferer of a ransomware assault.
Editor’s Notice: The opinions expressed on this visitor writer article are solely these of the contributor, and don’t essentially mirror these of Tripwire, Inc.