REvil's ransomware infrastructure appears to have restarted after months of inactivity
Security researchers recently noticed a new REvil leak site being promoted on a forum marketplace that focuses on Russian-speaking regions
The REvil ransomware gang appears to have returned after the arrest of 14 of its members by the Russian FSB in January.
As reported by BleepingComputer, REvil's servers in the TOR network are now redirecting to a new website that currently features 26 pages loaded with data of the group's successful hacks.
Most of the victims listed on the pages are from previous REvil hacks, although two victims appear to be related to the new hacking operation.
Oil India, an Indian state-run oil business, is one of the latest entrants, having announced a cyber security breach last week, with perpetrators reportedly demanding $75 million in ransom.
Visotec Group is another new victim, which has not yet made any public disclosures about a data breach and whose website is still operational.
The hackers ' blog notes that Oil India has decided not to pursue a discussion with the group, a decision that has resulted in the firm's internal financial data and contracts being leaked.
Security researchers Soufiane Tahiri and pancak3 found that the new REvil leak site being promoted on RuTOR, a forum marketplace that focuses on Russian-speaking regions.
REvil's former TOR payment domains are also redirecting to the new site, according to the researchers.
The new website reportedly features a recruiting page with information on the terms and conditions for affiliates, who are allegedly offered an enhanced version of REvil ransomware as well as an 80/20 split if they collect a ransom.
It is yet unclear who is behind the new REvil-connected operation, although it is evident that the individuals responsible for establishing a redirect on REvil's old website and payment link would have had access to the group ' s old infrastructure.
This has led many people to believe that the infamous ransomware operators are making a comeback.
Users on a popular Russian-language hacker site speculated whether the new operation was a hoax, a honeypot, or a legitimate continuation of the previous REvil operation.
REvil, also known as Sodinokibi or Sodin, has been one of the most notorious ransomware groups of 2020/21.
In July, REvil used a zero-day bug in Kaseya's VSA remote management tool to encrypt about 60 managed service providers and over 1,500 of their small- and medium-sized business customers in a massive supply chain strike.
A few days after attacking Kaseya, REvil disappeared from the internet - abandoning forums, disconnecting its servers, and shutting down its dark web presence.
Experts suspected that the Russian government had forced the group to cease operations, to show the world that it was working with the US government.
But in September, many of the dark-web servers belonging to the REvil resurfaced, sparking fears that the group was preparing for new attacks.
About a month later, it emerged that REvil gang was itself hacked and taken offline in a coordinated operation that involved law enforcement agencies from multiple countries.
Reuters reported that cyber experts working with the US intelligence agencies were able to breach REvil's computer network infrastructure and to seize control of at least some of their servers.
Earlier this year, the Federal Security Service (FSB) of the Russian Federation said it had taken down REvil infrastructure at the request of the United States in an operation in which 14 alleged member of the gang were arrested.
The individuals arrested by the FSB included a hacker that US officials say executed May's Colonial Pipeline attack.
The agency said that the basis for these raids was an appeal by the US authorities, who provided detailed information about the leader of the gang and his role in encroaching on the information resources of foreign tech firms.
At the moment, the US agencies have ceased cooperating with Russia on cybersecurity threats as a direct result of Russia ' s invasion of Ukraine.