REvil ransomware attacks resume, but operators are unknown

REvil, one of the most notorious ransomware operations in recent memory, looks to be back in action.

A new outbreak of ransomware attack reports and the relaunch of the group's leak site last week caught the attention of several security researchers. The dark web site, which is redirected to from the old REvil URL, lists several recent alleged victim organizations and claims to offer "the same proven (but improved) software."

REvil had apparently shut itself down in February after a series of arrests of what were reported to be key members of its leadership group. At the time, Russia was touting a new effort to crack down on ransomware campaigns that had previously been able to operate unhindered in the country.

As the Ukraine invasion has soured Russia's international relations and occupied its government, however, ransomware operators including REvil have been able to get back up and running.

Most prominent of the new REvil ransomware attacks was a network breach and data leak at Oil India, a natural resources company operating on the subcontinent. The attack was announced last week on the TOR leak site that REvil operators use to announce its victims and shame those who don't opt to pay ransom demands.

The URL for REvil's old leak site now redirects to a new one, which lists both old and seemingly new victims. And they're recruiting. h/t @pancak3lullz @S0ufi4n3 1/2 pic.twitter.com/cLB513qDwY

— Brett Callow (@BrettCallow) April 20, 2022

According to local media reports, Oil India not only confirmed that it had been breached and served with a $7.5 million ransom demand, but also called in both local police and international cyber attack researchers to investigate the incident.

While the attack caused some speculation that REvil was resuming operations, there was still some question as to whether the group had been falsely named or whether it was a copycat operation.

However, in recent days the REvil ransomware site claimed it had breached two more organizations, including a university in the U.S. While the school did not provide any confirmation of an attack or ransomware infection, its IT services portal appears to be offline. The university could not be reached for comment.

In addition to the reported attacks, a number of ransomware samples collected on open source malware repositories have been identified as REvil or Sodinokibi. Multiple researchers have also reported seeing some of the telltale malware samples of a REvil infection.

Though REvil as a brand might be back, the composition of its controlling group is a mystery. Thus far, no individuals have been identified, so it is unclear if the operation is being overseen by the same people who ran the previous operation or if a new group has taken over.

Given the arrests in February, it is likely that at least some of the operators are new individuals who were not previously part of REvil.

As has become the norm with ransomware operations, REvil uses a ransomware as a service model in which independent cybercriminals or "affiliates" do the dirty work of actually infiltrating a company's network and planting the malware before handing things over to the REvil group to oversee the ransom demand and collection.