The operation servers of the REvil ransomware gang, aka Sodinokibi, have just been turned on for the first time since July after their large-scale attack against Kaseya when they used a zero-day vulnerability in the Kaseya VSA remote management software to encrypt around 60 managed service providers (MSPs) and over 1,500 of their business customers.
Their disappearance was noticed when REvil’s servers and payment sites were suddenly down and their public spokesperson couldn’t be reached for a response on the situation. Although now Cyber security researchers have now spotted that ‘Happy Blog’, REvil’s Tor data leak site and Tor negotiation site has returned recently.
The last known trace of the gang was when Kaseya obtained the master decryptor mysteriously from a trusted ‘third party’ a couple of weeks after REvil’s server were turned off. There is the belief that the decryption key sent to Russian intelligence by the gang and then was passed onto the FBI as a gesture of goodwill.
Back in operation?
No one knows what the reason for the shutdown of the server in July, although it is possibly due to pressure from law enforcement. But the reason for the resurfacing of the server is still unclear at this time as it could mean that either the ransomware gang is back in operation or it is due to the actions of law enforcement.
© 2021 CyberEnsō – Nihon Cyber Defence Co., Ltd. All Rights Reserved.