Will Revil eventually die? The Russian authorities had announced fourteen arrests in January concerning individuals suspected of having been involved in the Revil ransomware group, one of the most active groups in recent years. The website used by the group, a Tor network-based site known as “Happy Blog,” had been displaying a 404 error since the arrests were announced.
But two security researchers found on Tuesday that the site had undergone changes. It now displays a redirect to a new blog, which uses part of the codes of Revil’s original blog and announces victims of a group of ransomware. This one picks up both former Revil victims and announces new organizations hit by the ransomware.
As Bleeping Computer reports, the blog is hosted on a new domain name, but Revil’s old site URL automatically redirects users to the new site, implying that the ransomware group’s website administrators have put set up this redirection to a new site. To set up this type of redirection, it is indeed necessary to have access to the private keys used to administer the domain name. The new site does not exactly replicate the title or layout of the old version of the blog used by Revil, but it does show many victims previously claimed by Revil as well as new organizations, such as Oil India. The latter recently confirmed that it had been the victim of a cyberattack that paralyzed its systems.
According to Bleeping computer, the site also has an offer to recruit new affiliates, offering them to use “an improved version of the Revil ransomware” and to share the ransoms obtained with the administrators of the website.
It remains to be seen who is really behind this redirect and to the new site. On the subject, the experts are divided. Some lean towards a takeover of the site by former Revil operators having escaped arrests, while others believe it to be another group seeking to take advantage of the group’s fame to launch their cybercriminal activity.
Founded in 2019, the Revil group, also known as Sodinokibi, was one of the first ransomware groups to adopt double extortion techniques and target massive organizations. The group notably claimed responsibility for the hacking of the Kaseya company in the United States or the Pierre Fabre group in France.