“REvil” reappears on forum — but not “Unknown?”
As previously noted by this site and others, REvil threat actors appear to have re-emerged after disappearing in July.. Their dedicated leak site and blog are at the same Tor address as previously, but is it “Unknown” who is back, or not?
A new account calling itself “REvil” registered on a popular Russian-language forum this week where REvil’s Unknown had previously had a presence until ransomware ads or listings were banned due to too much attention from law enforcement.
Responding to comments about their apparent reappearnce, REvil commented (machine translation):
As UNKWN (aka 8800) disappeared, we (the coders) backed up and turned off all the servers. They thought he was accepted. We tried to search, but to no avail. We waited – he didn’t show up and we got everything from the backups.
After the UNKWN disappeared, the hoster wrote that the clearnet servers were compromised and he deleted them immediately. We shut down the main server with the keys normally shortly after.
Responding to speculation as to how the general decryptor key for Kaseya was released or leaked, “REvil” wrote:
As for Kasei’s key, allegedly leaked by law enforcement agencies, it “leaked” due to an employee’s error during the generation of the decryptor.
The user calling themself LockBitSupp asked REvil to provide more technical detail as to how such a leak could have occurred by error, to which REvil responded:
Our encryption is implemented in such a way that it is possible to generate a decryptor for the entire grid, or it is possible for each machine. Then, in the process of work, it was necessary to generate 20-500 decryptors for each victim (the grids endured at the kasei were of different sizes), and he apparently misclicked and generated a universal one for the entire grid and issued one universal decryptor along with a bunch of those that were for 1 machine … So they shit.
LockBitSupport remained skeptical, replying:
1) why did someone miss clicked and gave out a Kasei key when your site was already disabled for a long time? never miss clicked on anyone, and then when the payment of 10kk + miss clicked
2) the darks had the same story that after a large payment, they were immediately hacked immediately, without even having time to share the money with the advertisers, when it comes to the amount of more than 10kk hacks occur and miss clicks for some reason
3) it turns out that some wonderful coincidence happened, miss click while the hoster wrote that the clearnet servers were compromised and he deleted them immediately
REvil replied to the first part:
mumbled earlier. apparently when all the decryptors were collected, they found that one of them had a universal key. I understand where you are, but the payments were more than 10kk and we know about them, no one threw anyone. With an advertiser in touch, we don’t hide our joint
(This is where a better translator might help — neither Google nor Yandex provide really understandable English versions).
But since ransomware advertising has been banned on that forum as well as another popular Russian-language forum, we may not see much more from REvil. Interestingly, however, when REvil (“the coders”) reappeared, they were immediately hit with an arbitration complaint over previous work that had allegedly not been paid when they disappeared. That complaint was resolved quickly, so maybe this new “REvil” does have access to full backups and more. Time will tell.