REvil Group’s Tor Sites Unexpectedly Reactivate
Cybersecurity experts have noticed that the dark web sites of the REvil hacker group, which ceased operations in early 2022, are active once again. The sites now redirect visitors to a different ransomware campaign. The new site lists both previous REvil victims and two new ones.
Background: REvil’s Shutdown and Law Enforcement Actions
REvil’s activities stopped in January 2022 after Russia’s FSB announced the arrest of 14 individuals linked to the group. Raids were conducted at 25 locations in Moscow, St. Petersburg, and the Leningrad and Lipetsk regions. The FSB stated that the operation was initiated following a request from U.S. authorities.
The Tverskoy District Court in Moscow detained eight alleged group members, charging them with acquiring and storing electronic means intended for illegal money transfers as part of an organized group (Article 187, Part 2 of the Russian Criminal Code). The maximum penalty for this charge is up to seven years in prison.
New Ransomware Campaign and Site Details
According to Bleeping Computer, cybersecurity specialists pancak3 and Soufiane Tahiri were the first to spot the renewed activity. The new “leak site” is being promoted on the Russian-language RuTOR forum marketplace (not to be confused with the torrent tracker of the same name). The site is hosted on a different domain but is linked to the original REvil site used when the group was still active.
The site provides detailed terms for “partners,” who supposedly receive an improved version of the REvil malware and split ransom payments with the developers in an 80/20 ratio. Across 26 pages, the site lists companies targeted by the ransomware, most of which are previous REvil victims. Only the last two attacks appear to be part of the new campaign, with one victim being the oil and gas company Oil India.
Links to Other Ransomware Groups
Journalists note that in January, just before REvil’s shutdown, MalwareHunterTeam observed activity from another ransomware group, Ransom Cartel, which appears to be connected to the REvil ransomware in some way. Later, the same researcher noticed that the REvil leak site was active from April 5 to April 10, but initially contained no content. It began filling up about a week later. MalwareHunterTeam also found that the site’s RSS feed includes the string “Corp Leaks,” previously used by the now-defunct Nefilim hacker group.
Bleeping Computer also reports that the new blog and payment sites run on different servers, and the blog sets a cookie named DEADBEEF, which was previously used by another ransomware group, TeslaCrypt.
Speculation and Ongoing Discussions
The reactivation of these redirects suggests that someone other than law enforcement has access to the Tor private keys needed to make such changes. On Russian-language hacker forums, there is active debate about whether this new operation is a scam, a law enforcement trap, or a genuine new offer from former REvil members trying to repair their reputation.
Currently, several ransomware groups are either using modified REvil malware or pretending to be the original group. These include LV, which used the REvil encryptor before law enforcement took an interest, and Ransom Cartel, which is somehow linked to REvil, though the exact nature of the connection remains unclear.