REvil Servers on Tor Suddenly Reactivate
Two websites operated by the notorious REvil ransomware group have unexpectedly come back online. The reasons for the servers’ return after nearly two months of silence remain unknown, and no new samples of the infamous ransomware have been detected so far.
Background: The Kaseya Attack
In early July, the criminal group behind REvil targeted Kaseya, a company that develops software for managing corporate systems and networks. This supply chain attack affected around 60 managed service providers (MSPs) and more than 1,500 organizations that relied on their services.
The scale of this attack pushed U.S. authorities to the limit, prompting them to open negotiations with Russia in an effort to rein in the hackers. By mid-July, all REvil servers had gone offline simultaneously. Cybersecurity experts are still debating whether this was due to law enforcement actions or a deliberate move by the group to disappear.
The Master Decryption Key
Later, Kaseya received a master key to restore files encrypted by the malware, but the company chose to keep the benefactor’s identity secret. The attackers initially demanded $70 million for the key, later lowering the price to $50 million.
REvil’s Tor Sites Return
On September 7, the portal created by the attackers on the Tor network to manage ransom payments became active again, although cybersecurity experts were unable to log in successfully. A second REvil onion site, known as the Happy Blog—which was used to publish the names of victims and their stolen data—also came back online. According to BleepingComputer, this site appears to be functioning normally, but it contains no new information; the last post was made shortly before the group mysteriously vanished.
Current Status and Unanswered Questions
REvil’s public chat portal for ransom negotiations, decoder[.]re, remains offline. Experts are once again concerned: have the attackers returned, or did someone mistakenly reactivate the servers of the now-defunct group? If the group’s disappearance was due to government intervention, it seems unlikely that the authorities have changed their stance.