The REvil ransomware gang appear to be back after nearly a 2-month hiatus. According to various security and malware researchers, it has been confirmed that the ‘Happy Blog’, a website which is known to be one of the many servers operated by the REvil ransomware gang, was found to be back online and functioning.
In the world of data breaches and ransomware, the REvil ransomware gang are amongst the most prolific cybercriminals out there, right now. According to various cybersecurity researchers and the US Government, the group is believed to operate out of Russia.
The notorious gang, in recent times, are known for 2 major attacks namely – the JBS attack, where it is reported that the Brazilian meat supplier eventually paid a ransom to the tune of $11 million; and the Kaseya data breach, which was a mass ransomware attack during the 4th of July that hit thousands of business worldwide. Specifically for the Kaseya breach, the gang demanded a whopping $70 million for a “master decryption key” to decrypt all Kaseya victims but dropped the price to $50 million presumably after negotiations.
Although, Bleeping Computer reports that Kaseya might have obtained the master key from the FBI after the Russian Intelligence got the key from the threat actors, who then proceeded to hand it over to the FBI as a gesture of goodwill.
The gang, through the above-mentioned attacks, single-handedly spooked the US government officials to take major action against the increasing number of data breaches and ransomware attacks. These attacks prompted the signing of a memorandum by President Joe Biden to improve cybersecurity and also announcing various new cyber initiatives with private sector leaders.
Happy Blog: the REvil ransomware gang’s playground
The Happy Blog is a well-known “playground” for the REvil ransomware gang on the dark web. The website is known to publish samples of data stolen from the companies that REvil targets, before eventually locking these targeted companies out of their own servers or network. The Happy Blog was last operational on July 13th after which it was believed to be shut down by REvil operators. In addition to this, a popular dark web “payment portal” also operated by REvil is back online.
Adam Meyers, the VP of Intelligence at cybersecurity firm CrowdStrike, has also stated that the payment portal has come back online but the gang has not updated the portal with any new victims yet. He also states that the site seems to have been restored by the same actors running the portal until July, before the gang’s apparent “cooling-off period”.
Emsisoft threat analyst Brett Callow believes that REvil operators may have merely bought the site back online to collect payments from previous victims who are yet to recover their data. Although, it might just be that the gang is prepping for their next big attack, considering their activity and targets over the last year. At the time of writing this article, all cited sources have not seen any activity on the REvil sites and it is yet to be seen what the Russian gang plan to do next.