REvil Return?

Industry: N/A | Level: Strategic | Source: BleepingComputer

After months of inactivity, REvil ransomware servers have come online in the TOR network directing to a new operation assumed to have started in mid-December 2021. Reported by Bleeping Computer and identified by security researchers pancak3 and Soufiane Tahiri, discovered on a Russian-speaking forum, RuTOR a new REvil leak site is being promoted. "The new site is hosted on a different domain but leads to the original one REvil used when active, Bleeping Computer confirmed today." The site gathers affiliates providing a new copy of the REvil ransomware along with an 80/20 split. While old victim pages have been posted, there are new victims listed on the site including Oil India. While no concrete leads, affiliates associated with the new site, members, and/or a sample of the new REvil ransomware, the activity around REvil remains a mystery and will require additional investigation.