The operators behind the REvil ransomware group have resurfaced after allegedly closing shop following the widespread attack on Kaseya that caused thousands of victims on July 4.
Security researchers said all of the dark web sites for the prolific ransomware group -- including the payment site, the group's public site, the 'helpdesk' chat and their negotiation portal -- went offline on July 13 after the Kaseya attack drew worldwide condemnation and tough threats from US lawmakers.
US President Joe Biden spoke personally with Russian President Vladimir Putin after the attack. Many attributed REvil's closure to the conversation, where Biden pressed Putin about ransomware attacks originating from Russian soil.
Despite the conversation, both US authorities and Russian officials denied any involvement in REvil's disappearance in July.
But dozens of security researchers took to social media on Tuesday to show that the group's Happy Blog and other sites connected to REvil had resurfaced. Bleeping Computer reported that the newest entry was from a victim who was attacked on July 8.
Security researchers from Recorded Future and Emsisoft both confirmed that much of the group's infrastructure was back online.
Ransomware expert Allan Liska told ZDNet that most people expected REvil to return, but with a different name and a new ransomware variant.
"Things definitely got hot for them for a while, so they needed to let law enforcement cool down. The problem (for them) is, if this is really the same group, using the same infrastructure, they didn't really buy themselves any distance from law enforcement or researchers, which is going to put them right back in the crosshairs of literally every law enforcement group in the world (except Russia's)," Liska explained.
"I'll also add that I've checked all of the usual code repositories, like VirusTotal and Malware Bazaar, and I have not seen any new samples posted yet. So, if they have launched any new ransomware attacks, there haven't been many of them."
In August, a report from security company BlackFog on ransomware attacks found that REvil accounted for more than 23% of the attacks they tracked last month. That was more than any other group tracked in the report.
BlackFog CEO Darren Williams said the data showed REvil is now one of the most successful ransomware variants in 2021 and told ZDNet it is not surprising that the group has started up again given the prior success.
"There is clearly pent up demand for the group's techniques and codebase. The level of pressure being applied from the US President and high-level discussion with Putin correlate with the timing of the hiatus. The level of enforcement that is being applied globally also peaked during this period, they clearly feel they can continue operations now," Williams said.
"Overall, the global network of attackers leveraging REvil groups technology is at an all-time high. The success of these recent attacks and the sheer size and volume has indirectly generated even more interest by attackers licensing the technology. If it works, then clearly more attackers will leverage this technology until something better comes along. The challenge for cybersecurity vendors is to prevent these attacks by using newer technologies such as data exfiltration."
REvil attacked at least 360 US-based organizations this year, according to Emsisoft threat analyst Brett Callow. The RansomWhere research site says the group has brought in more than $11 million this year, with high profile attacks on Acer, JBS, Quanta Computer and more.
REvil's shut down in July left some victims in a tough spot. Mike Hamilton, former CISO of Seattle and now CISO of ransomware remediation firm Critical Insight, said one company paid a ransom after the Kaseya attack and received the decryption keys from REvil but found that they didn't work.
REvil typically offers a help desk function that aids victims with getting back their data.
"Some of our customers got off really easily. If you had that agent installed on unimportant computers, you just rebuilt them and got back to life. But we got a distress call a few days ago from a company that got hit hard because they had a company that was managing a lot of their servers with the Kaseya VSA. They got a lot of their servers hit and had a lot of information on them, and so they brought in their insurance company and decided to pay the ransom," Hamilton said.
"They got their decryption key, and when they started to use it, they found that in some places it worked and in other places it didn't. These ransomware gangs have customer support, but all of a sudden, they went dark. They're completely gone, and so there is no help, and these folks are just stuck. They're going to end up losing a lot of data, and they're going to end up spending a lot of money to rebuild their network from scratch completely."