After being offline for about two months, several of the dark-web servers belonging to notorious ransomware operator REvil have come back online.
The usually vocal group became uncharacteristically silent after orchestrating the Kaseya attacks back in July, following which its properties on both the dark-web and normal web, including its ransom negotiating portal, the website where it shares exfiltrated data, and a blog it used to boast about its latest exploits, went offline.
The disappearance led to speculation that the group could have been hit by law enforcement agencies, following its extravagant, but bungled Kaseya campaign.
We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.
However, BleepingComputer now reports that a couple of REvil’s properties have come back online again.
Back for real?
Reportedly, REvil’s payment/negotiation site and its data leak site on the dark web are both online.
The security community however is divided in its interpretation of the move.
While BleepingComputer thinks it could just be the law enforcement agents tinkering with the supposedly seized servers, others believe that REvil’s about to get back to business.
“Revil took time to refit, retool, and take a bit of a holiday over the summer. The fact their sites are back online means they are, again, ready for business and have targets in mind,” security vendor Exabeam’s chief security strategist, Steve Moore tells TechRadar Pro.
In fact, Moore goes as far as to suggest that the ransomware operator has “undoubtedly” already laid their hands on a compromised software supply chain.
“The technique began in espionage and has now been borrowed for criminal activity; this campaign hasn’t started yet – but will very soon,” warns Moore.