REvil Is Back on Exploit and Trying to Restore Its Reputation [Updated]

Update [Sept 10, 10:40 AM EST] 

On September 10 at 09:40 AM EST, the threat actor operating under the alias “REvil” posted twice on Exploit to address and clarify what happened during the Kaseya-related key generation process and the human error that apparently caused the universal key to be leaked. Flashpoint analysts have identified these posts are providing a translation below with light editing for clarity:

Translation of REvil Exploit post from the original Russian, 9:40 AM EST, September 10, 2021

“I wasn’t clear earlier [in my original post about the Kaseya-related key generation error]. Apparently, when all the decrypters were collected together, people found the universal key among them.

“I understand what [LockBitSupp, the spokesperson for LockBit ransomware collective, is] getting at, but the payments totaled over 10kk (sic) and everyone knows about them. No one was scammed. We are in contact with our affiliates, we aren’t hiding anything.”

The threat actor REvil said they were not clear earlier and explained that the REvil operators mistakenly included the universal decryptor key along with the individual decryption keys, which was then discovered and sent to Kaseya and law enforcement agencies. 

Translation of REvil Exploit post from the original Russian, 8:02 AM EST, September 10, 2021

REvil previously posted on Exploit and elaborated on the key decryption process well. They wrote: “Our encryption process allows us to generate either a universal decryptor key or individual keys for each machine. Then, in the process of generating the keys, we had to generate between 20 and 500 decryption keys for each [individual] victim [because the victims of the Kaseya attack all had networks of different sizes]. One of our coders misclicked and generated a universal key, and issued the universal decryptor key along with a bunch of keys for one machine. That’s how we shit ourselves.”

REvil Reemerges

Today a threat actor operating under the alias “REvil” appeared on Exploit claiming to be the group’s new representative on the illicit Russian-language forum. The alleged representative of REvil went on to explain that the ransomware group has managed to come back online using their backups. This is apparently the first time that REvil has appeared on Exploit since the ransomware group disappeared for unspecified reasons in July following its high-profile attack on the Kaseya VSA remote management software. Following the cyberattack, REvil’s TOR servers and infrastructure were shut down and a master decryption key was leaked that worked for Kaseya victims.

Fully Operational

For all intents and purposes, it appears that REvil is fully operational after its hiatus. Evidence also points to the ransomware group making efforts to mend fences with former affiliates who have expressed unhappiness with the group’s disappearance.

Two days prior, on September 7, the REvil leaks blog known as Happy Blog, went back online after a two-month hiatus. REvil is also allegedly back on Exploit under a new alias, “REvil.”

RE-Building Bridges

Upon noticing Happy Blog was back online, some threat actors on illicit forums opened arbitration cases against REvil. Cyber intelligence analysts at Flashpoint observed a threat actor operating under the alias “boriselcin” opening an arbitration case against REvil spokesperson UNKN on the Russian-language forum XSS. Boriselcin claims that UNKN owed money before disappearing and wants to be compensated now that the group is again operational. On September 8, boriselcin said that they closed the arbitration case because the issue has been resolved. Flashpoint analysts assess with moderate confidence that other former affiliates may open such cases in the future if REvil’s return is confirmed.

Rumor Mill

Various threat actors on top-tier forums link the disappearance and reemergence of REvil with talks between President Joe Biden and his Russian counterpart, Vladimir Putin, which took place in-person in June in Geneva, as well as on the phone following REvil’s attack on Kaseya. These speculations were fueled by rumors that Russian intelligence services received a universal Kaseya-related decryptor from REvil and passed it along to US authorities. In the same post on September 9, the threat actor operating under the alias “REvil” on Exploit explained that the Kaseya key was leaked by law enforcement agencies due to human error during the key generation process.

Some have speculated that the US government’s subsequent decision to remove sanctions on companies participating in the Nord Stream 2 (NS2) pipeline had to do with this alleged transaction, while others expressed doubts that the FSB would be able to round up REvil in the matter of days without serious preparation.

Flashpoint cybersecurity and threat intelligence analysts underline that there is no evidence suggesting there was a political link between the disappearance and re-emergence of REvil; the removal of NS2 sanctions is in line with President Biden’s stated foreign policy objectives.

Prepare for Ransomware and Cyber Extortion with Flashpoint

Data and analysis for this article was discovered directly through analyst research in the Flashpoint platform. Request a demo or sign up for a free trial and see firsthand how Flashpoint cybersecurity technology can help your organization access critical information and insight into ransomware actors and their tactics, techniques, and procedures (TTPs).