The infamous REvil ransomware gang, also known as Sodinokibi, appears to be making a comeback after months of hiatus.
A new ransomware strain has been discovered by Jakub Kroustek, the Malware Research Director at Avast, suggesting the malicious cyber group has resumed attacking organizations.
Not only has this new variant been discovered, but REvil's Tor-based sites are back, including its "Happy Blog" data leak site and its payments portal. Brett Callow, a threat analyst at Emisoft, shared this information via a tweet:
All organizations listed on its data leak site have had their countdown timers reset, according to Bleeping Computer. These timers give the victims a set amount of time to negotiate a ransom payment before REvil either leaks the data online or doubles the ransom payment demand.
Why did REvil ransomware vanish?
After pulling off two of the largest ransomware attacks of 2021, REvil seemingly disappeared.
In May, the group was able to successfully disrupt the operations of one of the world's largest meat processing organizations, JBS Foods. After threatening to publish exfiltrated data, JBS made the decision to pay the hacking group $11 million for a decryption key.
Over the weekend of July 4th, the group attacked software built by IT management company Kaseya, which resulted in 1,500 small and medium-sized businesses infected by ransomware because of the cyberattack.
Following these attacks, the Biden administration made public its intentions to disrupt ransomware gangs and improve the nation's cybersecurity. Biden also met with Russian President Vladimir Putin to discuss how cyber criminals operating within the country's borders should be handled.
Whether it was because the group successfully pulled off two large ransomware attacks, or the White House's promise to target ransomware operators, the group began taking its sites offline, appearing to end its operations.
Around the same time, other ransomware operators began disappearing. DarkSide, who was responsible for the Colonial Pipeline incident, and Babuk, who attacked the Washington D.C. Police Department, both went dark.
Mayra Rosario Fuentes, Senior Threat Researcher at Trend Micro, watched it happen while she was scanning the dark web:
"So before the pipeline, a lot of these ransomware groups were in the open. They were advertising, it was easy to find them. They were usually into specific forums that happen to be Russian based.
After the pipeline made it to the news, some of these groups decided to not be on some of these sites. They were like, we’re going somewhere else, we're going to go into hiding. We don't want to be out here in the public anymore. We don't want to be found that easily for the journalists and the people that know how to find us."
[RELATED: Podcast episode, Exploring the Dark Web with a threat researcher]
Why has REvil returned?
Whatever the reason was for REvil's disappearance, the reason for returning is obvious: money, money, and more money.
Revenue generated by large ransomware operators continues to be massive in 2021. The chart below shows ransom payments by quarter over the last three years, according to Coveware:
While ransom payments have declined in 2021 compared to 2020, there is still a lot of money to be made for these operators. It is reported that the profit-sharing for REvil is 30% for the operator and 70% for the affiliate. This means that for the $11 million ransom payment from JBS Foods, REvil profited more than $3 million.
[RESOURCE: Don't miss Jeremy Sheridan, Assistant Director, Office of Investigations, for the United States Secret Service, present the opening keynote at SecureWorld's upcoming Great Lakes virtual conference, as he will discuss the evolution of ransomware and where it might be headed in the future. Register now.]