REvil’s TOR domains spring to life, redirecting to a new ransomware operation

REvil ransomware’s servers on the TOR network have been reactivated after months of dormancy, redirecting to a new operation that looks to have begun at least in mid-December of last year. It is unknown who is behind the latest REvil-related operation, however, the new leak site mentions a huge number of victims from previous REvil operations, as well as two new ones.

A new RaaS is in the works

However, security researchers pancak3 and Soufiane Tahiri observed the new REvil leak site being pushed on RuTOR, a forum marketplace focusing on Russian-speaking countries, a few days ago. The new site is located on a different domain, but it redirects to the previous one REvil used while it was operational, which the two researchers recorded. The site includes 26 victim pages, most of which are from previous REvil assaults, with just the final two appearing to be tied to the current operation. Oil India is one of them.


In January, a few weeks after 14 accused members of the gang were detained in Russia, security researcher MalwareHunterTeam stated that beginning in mid-December last year, they saw activity from a new ransomware gang that was connected to REvil, albeit no relationship was apparent.

The current REvil-related leak site was eventually discovered to be up and running from April 5 and April 10, with no material, and it began to be populated around a week later. MalwareHunterTeam also noticed that the source of the RSS feed included the word Corp Leaks, which was utilized by the now Nefilim ransomware group. On separate servers, the blog and payment sites are up and running.


Looking at the latter, BleepingComputer noticed that the new ransomware operation’s blog leaves a cookie entitled DEADBEEF, a computer phrase that the TeslaCrypt ransomware group used as a filemarker.


At this point, it is impossible to link the new REvil-based payload to a ransomware malicious attacker since samples of the newer payload must be evaluated, and whoever is behind the new discovery site has still not established a name or association.

REvil’s data leak and payment sites presented a page labeled “REvil is terrible” and a registration form even when under FBI control in November 2021, first via TOR gateways and at the. The place of the onion.

The mystery surrounding the redirection, both current and from last year, grows, implying that someone other than law enforcement had access to the TOR private keys that enabled them to make changes for the. Onion-based website. Users on a famous Russian-language hacker site are debating whether the new operation is a hoax, a honeypot, or a legitimate continuation of the old REvil enterprise, which has a long way to go to reclaim its image.

The collapse of REvil

REvil ransomware has a lengthy life, beginning in April 2019 as a continuation of the GandCrab operation, the first to pioneer the ransomware-as-a-service (RaaS) concept.

In August 2019, the gang targeted various municipal governments in Texas and wanted a total ransom of $2.5 million, the biggest at the time.

The organization is responsible for the Kaseya supply-chain hack, which harmed about 1,500 firms and resulted in their downfall last year as law enforcement throughout the world increased their coordination in order to bring the gang down.

The group took a two-month sabbatical soon after striking Kaseya, unaware that law enforcement agents had hacked their systems. REvil continued the operation, unaware of the breach, and restore systems from backups. Russia stated in mid-January that it has shut down REvil after identifying and detaining all members of the group.

“As a consequence of the coordinated activities of the FSB and the Russian Ministry of Internal Affairs, the organized criminal community ceased to exist, and the digital infrastructure utilized for illegal objectives was neutralized.” Russia’s Federal Security Service

Check out Saytonic’s YouTube video regarding REvil’s background, which discusses FBI hacks. REvil Ransomware Syndicate

Image Credits: BleepingComputer

Node-ipc Sabotaged To Condemn Russia’s Invasion of Ukraine