www.tripwire.com
Open in
urlscan Pro
192.229.182.232
Public Scan
Submitted URL: https://t.co/vdTYasAH9H
Effective URL: https://www.tripwire.com/state-of-security/security-data-protection/revil-dark-web-site-redirects-new-ransomware-operation/
Submission: On April 21 via manual from US — Scanned from DE
Effective URL: https://www.tripwire.com/state-of-security/security-data-protection/revil-dark-web-site-redirects-new-ransomware-operation/
Submission: On April 21 via manual from US — Scanned from DE
Form analysis
1 forms found in the DOMGET /state-of-security
<form action="/state-of-security" class="form form-search" id="search-form" method="get" target="_self"><input id="s" name="s" type="text" value="" placeholder=""><button class="btn-search" type="submit"> </button></form>
Text Content
Skip to content ↓ | Skip to navigation ↓ THE STATE OF SECURITY NEWS. TRENDS. INSIGHTS. Tripwire, Inc. Toggle navigation * Featured Articles * Topics * DevOps * Cloud * ICS Security * Vulnerability Management * Security Controls * Government * Healthcare * Regulatory Compliance * Podcasts * VERT * Resources * Tripwire Resources * Slideshare * EXPLORE TRIPWIRE Home » News » REvil reborn? Notorious gang’s dark web site redirects to new ransomware operation REVIL REBORN? NOTORIOUS GANG’S DARK WEB SITE REDIRECTS TO NEW RANSOMWARE OPERATION * Graham Cluley * * Apr 21, 2022 * IT Security and Data Protection Sometimes referred to as Sodinokibi, the notorious REvil ransomware-as-a-service (RAAS) enterprise was responsible for a series of high profile attacks against the likes of the world’s biggest meat supplier JBS Foods and IT service firm Kaseya. However, it looked like its activities had come to a halt after law enforcement agencies pushed REvil offline in October 2021, and Russia reportedly arrested 14 of the gang’s members earlier this year. So some will view new activity linked to REvil’s ironically-titled “happy blog”, where it announced its hacks against corporations and leaked data, with understandable disappointment. As Bleeping Computer reports, researchers have spotted that the TOR address used for REvil’s leak site is now redirecting to a new website, with information about seemingly new attacks. Amongst those listed as having fallen foul of hackers is Oil India, which last week disclosed it had suffered a security breach which required it to shut down its computer systems. The blog posted by the supposed perpetrators threatens to start publishing exfiltrated data – including contracts, client information, and messaging chats – unless Oil India continues its negotiations. Most of the other victims listed on the webpage relate to past REvil ransomware attacks. Meanwhile, a “Join us” page written in Russian explains how criminals can request to become an affiliate, offering benefits such as the “same proven (but improved) software” and an 80/20 split of ransoms collected. Some may be more wary than normal, of course, of becoming a ransomware affiliate – given evidence uncovered in the past that REvil had no qualms about scamming its fellow cybercriminals. So, is this latest development evidence that the REvil group is back in operation, or has a new ransomware-as-a-service operation somehow managed to seize control of REvil’s old site and point it to their own pages? Or is it possible that this the new site is operating as a honeypot, trying to gather information about those interested in becoming ransomware affiliates, collecting intelligence for law enforcement agencies? For now there are no clear answers, and the pages themselves don’t offer much in the way of clues – failing to make any claims about whose banner they might be operating. What is definite is that no organisation should rest on its laurels when it comes to defending itself from attack, and take steps now to reduce the chances of being the next victim of a ransomware attack. -------------------------------------------------------------------------------- Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. SHARE THIS POST Categories Featured Articles, IT Security and Data Protection Tags -------------------------------------------------------------------------------- ABOUT GRAHAM CLULEY Graham Cluley has contributed 329 posts to The State of Security. View all posts by Graham Cluley * RSS * Facebook * Twitter * YouTube * LinkedIn RECENT POSTS * REvil reborn? Notorious gang’s dark web site redirects to new ransomware operation * CIS Control 16 Application Software Security * The Four Stages to a Successful Vulnerability Management Program * Top Tips for Moving from Compliance to Cybersecurity Excellence * What Makes Telecommunication Companies Such a Fertile Ground for Attack? * Extra, Extra, VERT Reads All About It: Cybersecurity News for the Week of April 11, 2022 * Regulatory Compliance – Holding Security Back or Forcing us to Reassess old biases? * Pub Talk: IT/OT convergence, Frameworks and prevailing cybersecurity threats * US Government warns of new malware attacks on ICS/SCADA systems * Thank you for everything Mike. We’ll miss you. TOPICS * ICS Security * Cloud * IT Security and Data Protection * Latest Security News * Regulatory Compliance * Government * Vulnerability Management ABOUT * About * Contributors * Write for us * Privacy Policy * Tripwire.com CONTACT US US Headquarters Tripwire, Inc. 308 SW 2nd Ave Suite 400 Portland, OR 97204 Direct: 503.276.7500 International Offices SEARCH * RSS * Facebook * Twitter * YouTube * LinkedIn * © 2022 Tripwire, Inc. All rights reserved.