The REvil servers on the Tor network are back online and are now redirecting requests to the new leak site. Its pages contain a long list of ransomware victims, mostly the results of past attacks, but two entries are very recent.
The creators of the site have registered a new onion-name and are actively promoting it on the Russian-language hacker forum RuTOR. You can get to the new site through a redirect from the previous leak site (Happy Blog).
Apparently, we are talking about an alternative RaaS service (Ransomware-as-a-Service, extortionist as a service) based on REvil, which appeared at the behest of the members of the criminal group who remained at large or some orphaned affiliate. This is also evidenced by the offer for partners published on the new leak site:
A 26-page list of ransomware victims is currently available here, among which BleepingComputer experts found a couple of new names, including Oil India. The attack on the Indian oil and gas state company became known at the beginning of this month.
According to MalwareHunterTeam, the new REvil-based affiliate program has been running since at least mid-December. Its platforms for publishing stolen data and controlling payments appeared at the beginning of this month and are hosted on other Tor servers.
The ransomware’s former onion sites have been controlled by the FBI since November. Last year, someone hacked them too, leaving their registration page.
The group behind REvil gained notoriety after last year’s attack on Kaseya, which forced them to take a two-month timeout. In September, the RaaS service resumed operation, but a month later it closed again due to a hacking of the blog and the onion payment site.
In October and November, the first arrests were made in Western Europe in connection with the REvil attacks. On January, 14 alleged members of a criminal group were detained in Russia at the suggestion of the Americans, and a Ukrainian suspected of involvement in REvil military operations is now on trial in the United States.