The apparent return of the Ravilsyndicate amid the reactivation of its infrastructure and dark web leak site – known as the Happy Blog – has cast doubt on previous reports of the crew’s demise and may yet herald a renewed campaign of ransomware attacks in the coming months. , prompting community speculation that the Russian authorities had pressurized the gang to scale back its activitiesafter which downed multiple businesses by taking out their managed services providers. Others theorized that there had been a falling out within the Ravil organization. The gang members had decided to cash out and “retire” Ravil to concentrate on new projects, .
Researchers from across the security community picked up the reactivation of Ravil’s Happy Blog, includingand . Multiple reports say the group’s payment portal , and Bleeping Computer has confirmed that Ravil attacks occurring. chief security strategist Steve Moore said that as the reactivation of parts of Ravil’s infrastructure appears to be a sign that the operation is back in business, it is only a matter of time before another powerful attack.
“I encourage organizations to think about this two-fold,” said Baker. “First, they undoubtedly have their next softwarecompromised. The technique began in espionage and has now been borrowed for criminal activity. This campaign hasn’t started yet – but it will very .
“On the other hand, defenders shouldintrusion and poor recovery options and less on ransomware. Ransomware is the the compromisecycled.”
Moore added: “Directly, REvil took time to refit, retool, and take a bit of a holiday over the summer. The fact that their sitesmean they are, again, ready for business and have targets in mind.”
security ops director Chris Sedgwick added: “Hacker groups disappearing when things heat up is something we have seen frequently, with cases like Emotet or Anonymous. When groups do disappear, it is and take the limelight off them from law enforcement agencies, and it rarely means they are disappearing for good.
“On the assumption that this is indeed the sameoperating the infrastructure, we would expect to see a new ransomware variant from the group shortly, but with much more carefully selected victims to keep the media and government attention off them as much as possible.”
Besides Kaseya, the REvil gang – also known as Sodinokibi – and its affiliates have been behind some of the most impactful ransomware attacks of the past two years, with victims including, , a New York law firm with celebrity clients including singers , and , which ultimately went bust as an indirect result of an early REvil attack at the end of 2019.
These efforts areREvil at least $100m and possibly more.
Even if there is another explanation behind the apparent re-emergence of REvil, security teams should use thisto take stock of their cyber security posture and ransomware response plans. The .