Blog site

Dark Gang website redirects to new ransomware operation

Sometimes referred to as Sodinokibi, the notorious REvil ransomware-as-a-service (RAAS) company was responsible for a series of high-profile attacks on companies like the world’s largest meat supplier, JBS Foods, and the service company Kaseya computers.

However, it appeared his activities came to a halt after law enforcement took REvil offline in October 2021, and Russia reportedly arrested 14 of the gang’s members earlier this year.

So some will see the new activity related to REvil’s ironically titled “happy blog,” where he announced his corporate hacks and data leaks, with understandable disappointment.

Like beeping computer reports, researchers have spotted that the TOR address used for the REvil leak site is now redirecting to a new website, with information about apparently new attacks.

Among those listed as having been victims of hackers is Oil India, which revealed last week that it had suffered a security breach that forced it to shut down its computer systems.

The blog published by the alleged perpetrators threatens to start publishing exfiltrated data – including contracts, customer information and messenger chats – unless Oil India continues its negotiations.

Most of the other victims listed on the webpage are linked to past REvil ransomware attacks.

Meanwhile, a “Join Us” page written in Russian explains how criminals can apply to become an affiliate, offering benefits such as the “same proven (but improved) software” and an 80/20 split of the collected ransoms.

REVil join us

Some may be more wary than normal, of course, of becoming a ransomware affiliate – given evidence uncovered in the past that REvil had no qualms about scamming fellow cybercriminals.

So, does this latest development prove that the REvil group is up and running again, or has it managed to take over the old REvil site and direct it to its own pages?

Or is it possible that this new site is operating as a honeypot, trying to gather information on people interested in becoming ransomware affiliates, collecting intelligence for law enforcement?

For now, there are no clear answers, and the pages themselves don’t offer many clues – making no claims about which banner they might be operating.

What is certain is that no organization should rest on its laurels when it comes to defending against an attack, and take action now to reduce the risk of being the next victim of a ransomware attack.


Editor’s note: The views expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.