REvil Ransomware Group Reemerges, Already Wreaking Havoc

The REvil ransomware group, which was behind the attack on Kaseya just before the July 4th weekend, is back after a brief disappearance.

Flashpoint’s threat intelligence team has observed new activity from the REvil ransomware group. The group posted twice on the illicit Russian-language forum Exploit to address and clarify what happened during the Kaseya-related key generation process and the human error that apparently caused the universal key to be leaked.

In the weeks following the attack, Kaseya said it acquired a universal decryptor allowing victims of the attack to unlock encrypted files for free.

In one of its Exploit posts, REvil explains how it lost control of the universal decryptor:

“Our encryption process allows us to generate either a universal decryptor key or individual keys for each machine. Then, in the process of generating the keys, we had to generate between 20 and 500 decryption keys for each [individual] victim [because the victims of the Kaseya attack all had networks of different sizes]. One of our coders misclicked and generated a universal key, and issued the universal decryptor key along with a bunch of keys for one machine.”

REvil Ransomware Group ‘Fully Operational’

According to Flashpoint, “for all intents and purposes, it appears that REvil is fully operational after its hiatus.”

“Evidence also points to the ransomware group making efforts to mend fences with former affiliates who have expressed unhappiness with the group’s disappearance,” it said.

Flashpoint cybersecurity and threat intelligence analysts said there is no evidence suggesting there was a political link between the disappearance and reemergence of REvil.

Also, in its latest posts, REvil says victims of the Kaseya attack paid $10 million in ransoms.

What Reemergence Means

Flashpoint’s Maria Gershuni

So what does the reemergence of REvil mean? We spoke with Maria Gershuni, global intel analyst II with Flashpoint.

Chanel Futures: What does this reemergence of REvil mean? Is it surprising that REvil is back?

Maria Gershuni: While this development is significant, it is not surprising. Flashpoint analysts have long observed chatter on illicit forums discussing a possible reemergence of the group. However, most chatter believed that the group would reemerge under a new name. They were wrong.

After REvil first disappeared, discussion circulated on whether the disappearance had geopolitical implications. Prompted by REvil’s attack, U.S. President Biden issued an ultimatum to Russian President Putin in a July 2021 phone call, telling his Russian counterpart to step up and deal with the ransomware collectives that are operating within Russian territory.

Researchers commonly believe that cybercriminals who operate in Russia receive safe harbor from domestic law enforcement in exchange for the criminals’ tacit agreement to not attack Russian entities. REvil’s disappearance, less than a week after the Biden-Putin phone call, seemed to point to the Russian government’s cooperation with U.S. requests and may have signaled a potential cyber rapprochement in dealing with cybercriminal organizations. The reemergence of REvil, however, puts a damper on hopes that Russia and the U.S. would cooperate to combat cybercrime.

Scroll through our gallery above for more of Gershuni’s comments and more cybersecurity news.