Today the servers of the REvil ransomware gang were back online after around two months since their shutdown. The circumstance was immediately noted by many researchers, me too.
The dark web leak site of the ransomware gang, also known as the Happy Blog, is back online, while the site decoder[.]re is still offline at the time of this writing.
It is not clear if the REvil gang resumed its operations or if the servers were turned on by law enforcement.
On July 2, the REvil ransomware gang hit the Kaseya cloud-based MSP platform impacting MSPs and their customers.
The REvil ransomware operators initially compromised the Kaseya VSA’s infrastructure, then pushed out malicious updates for VSA on-premise servers to deploy ransomware on enterprise networks.
The group asked $70 million worth of Bitcoin for decrypting all systems impacted in the Kaseya supply-chain ransomware attack.
The attack caught the attention of the media and the police authorities that increased pressure on the group.
Starting from July 13, the infrastructure and the websites used by the REvil ransomware gang were mysteriously unreachable. The Tor leak site, the payment website “decoder[.]re”, and their backend infrastructure went offline simultaneously.
It is not clear if the operators shut down the operations due to the pressure of law enforcement after the recent Kaseya massive ransomware attack or if the infrastructure was seized as a result of an operation conducted by law enforcement.
On July 22, Kaseya announced to have received by a trusted third-party a universal decryptor that allows victims of the ransomware attack to recover their files for free.
Currently, the leak site doesn’t include announcements for new victims.
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, ransomware)
[adrotate banner=”5″]
[adrotate banner=”13″]
Security Affairs Malware newsletter includes a collection of the best articles and research on malware…
A new round of the weekly Security Affairs newsletter has arrived! Every week, the best…
Fintech firm Figure confirmed a data breach after hackers used social engineering to trick an…
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in BeyondTrust RS and…
A new alleged Russia-linked APT group targeted Ukrainian defense, government, and energy groups, with CANFAIL…
A new threat actor, UAT-9921, uses the modular VoidLink framework to target technology and financial…
This website uses cookies.
