www.tripwire.com Open in urlscan Pro
192.229.182.232  Public Scan

Form analysis
1 forms found in the DOM

GET /state-of-security

<form action="/state-of-security" class="form form-search" id="search-form" method="get" target="_self"><input id="s" name="s" type="text" value="" placeholder=""><button class="btn-search" type="submit"> </button></form>

Text Content

Skip to content ↓ | Skip to navigation ↓


THE STATE OF SECURITY

NEWS. TRENDS. INSIGHTS.

Tripwire, Inc.

Toggle navigation
 * Featured Articles
 * Topics
   * DevOps
   * Cloud
   * ICS Security
   * Vulnerability Management
   * Security Controls
   * Government
   * Healthcare
   * Regulatory Compliance
 * Podcasts
 * VERT
 * Resources
   * Tripwire Resources
   * Slideshare

 * EXPLORE TRIPWIRE

Home » News » REvil reborn? Notorious gang’s dark web site redirects to new
ransomware operation


REVIL REBORN? NOTORIOUS GANG’S DARK WEB SITE REDIRECTS TO NEW RANSOMWARE
OPERATION

 * Graham Cluley
 * 

 * Apr 21, 2022
 * IT Security and Data Protection



Sometimes referred to as Sodinokibi, the notorious REvil ransomware-as-a-service
(RAAS) enterprise was responsible for a series of high profile attacks against
the likes of the world’s biggest meat supplier JBS Foods and IT service firm
Kaseya.

However, it looked like its activities had come to a halt after law enforcement
agencies pushed REvil offline in October 2021, and Russia reportedly arrested 14
of the gang’s members earlier this year.

So some will view new activity linked to REvil’s ironically-titled “happy blog”,
where it announced its hacks against corporations and leaked data, with
understandable disappointment.

As Bleeping Computer reports, researchers have spotted that the TOR address used
for REvil’s leak site is now redirecting to a new website, with information
about seemingly new attacks.

Amongst those listed as having fallen foul of hackers is Oil India, which last
week disclosed it had suffered a security breach which required it to shut down
its computer systems.

The blog posted by the supposed perpetrators threatens to start publishing
exfiltrated data – including contracts, client information, and messaging chats
– unless Oil India continues its negotiations.

Most of the other victims listed on the webpage relate to past REvil ransomware
attacks.

Meanwhile, a “Join us” page written in Russian explains how criminals can
request to become an affiliate, offering benefits such as the “same proven (but
improved) software” and an 80/20 split of ransoms collected.

Some may be more wary than normal, of course, of becoming a ransomware affiliate
– given evidence uncovered in the past that REvil had no qualms about scamming
its fellow cybercriminals.

So, is this latest development evidence that the REvil group is back in
operation, or has a new ransomware-as-a-service operation somehow managed to
seize control of REvil’s old site and point it to their own pages?

Or is it possible that this the new site is operating as a honeypot, trying to
gather information about those interested in becoming ransomware affiliates,
collecting intelligence for law enforcement agencies?

For now there are no clear answers, and the pages themselves don’t offer much in
the way of clues – failing to make any claims about whose banner they might be
operating.

What is definite is that no organisation should rest on its laurels when it
comes to defending itself from attack, and take steps now to reduce the chances
of being the next victim of a ransomware attack.

--------------------------------------------------------------------------------

Editor’s Note: The opinions expressed in this guest author article are solely
those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

SHARE THIS POST

Categories Featured Articles, IT Security and Data Protection

Tags

--------------------------------------------------------------------------------

ABOUT GRAHAM CLULEY



Graham Cluley has contributed 329 posts to The State of Security.

View all posts by Graham Cluley

 * RSS
 * Facebook
 * Twitter
 * YouTube
 * LinkedIn




RECENT POSTS

 * REvil reborn? Notorious gang’s dark web site redirects to new ransomware
   operation
 * CIS Control 16 Application Software Security
 * The Four Stages to a Successful Vulnerability Management Program
 * Top Tips for Moving from Compliance to Cybersecurity Excellence
 * What Makes Telecommunication Companies Such a Fertile Ground for Attack?
 * Extra, Extra, VERT Reads All About It: Cybersecurity News for the Week of
   April 11, 2022
 * Regulatory Compliance – Holding Security Back or Forcing us to Reassess old
   biases?
 * Pub Talk: IT/OT convergence, Frameworks and prevailing cybersecurity threats
 * US Government warns of new malware attacks on ICS/SCADA systems
 * Thank you for everything Mike. We’ll miss you.



TOPICS

   
   
   
 * ICS Security
 * Cloud
 * IT Security and Data Protection
 * Latest Security News
   
 * Regulatory Compliance
   
 * Government
   
 * Vulnerability Management

ABOUT

 * About
 * Contributors
 * Write for us
 * Privacy Policy
 * Tripwire.com
   

CONTACT US

US Headquarters
Tripwire, Inc. 308 SW 2nd Ave Suite 400
Portland, OR 97204

Direct: 503.276.7500

International Offices

SEARCH


 * RSS
 * Facebook
 * Twitter
 * YouTube
 * LinkedIn

 * © 2022 Tripwire, Inc. All rights reserved.