The operators behind the REvil ransomware-as-a-service (RaaS) staged a surprise return after a two-month hiatus following the widely publicized attack on technology services provider Kaseya on July 4.
Two of the dark web portals, including the gang’s Happy Blog data leak site and its payment/negotiation site, have resurfaced online, with the most recent victim added on July 8, five days before the sites mysteriously went off the grid on July 13. It’s not immediately clear if REvil is back in the game or if they have launched new attacks.
“Unfortunately, the Happy Blog is back online,” Emsisoft threat researcher Brett Callow tweeted on Tuesday.
The development comes a little over two months after a wide-scale supply chain ransomware attack aimed at Kaseya, which saw the Russia-based cybercrime gang encrypting approximately 60 managed service providers (MSPs) and over 1,500 downstream businesses using a zero-day vulnerability in the Kaseya VSA remote management software.
In late May, REvil also spearheaded the attack on the world’s largest meat producer JBS, forcing the company to shell out $11 million in ransom to the extortionists to recover from the incident.