Notorious Russian Ransomware Group ‘REvil’ Has Reappeared

The infamous criminal ransomware group behind the JBS SA cyberattack has returned to the dark web after vanishing this summer. From a report: “REvil,” short for “Ransomware-Evil,” is among the most prolific cyber gangs to hold data for ransom. The group operates from Russia, according to cybersecurity firms and the U.S. government, and is accused of leading a flurry of attacks this year against companies and organizations, including JBS. The giant Brazilian meat supplier eventually paid an $11 million ransom. REvil runs a website called the “Happy Blog,” where it publishes samples of data stolen before locking companies out of their own networks. The attackers then try to persuade targets to pay for a digital key to restore network access.

A portal REvil uses to negotiate with victims also came back online on Tuesday, according to Adam Meyers, vice president of intelligence at cybersecurity firm CrowdStrike, although the cybergang hasn’t posted any new victims. Meyers says it appears the site was restored by the same actors running the portal before it went offline in June without explanation. “I would think this was a cool-off period,” he said. “There was a lot of heat back in June/July. Maybe they rebuilt some infrastructure and invested in better operational security.”