Blog
REvil Continues Its Reemergence, Joins Groove-led RAMP Forum
On October 7, cybersecurity analysts at Flashpoint discovered a post on the REvil leaks site, the Happy Blog, inviting users to join the ransomware group on RAMP.
On October 7, cybersecurity analysts at Flashpoint discovered a post on the REvil leaks site, the Happy Blog, inviting users to join the ransomware group on RAMP.
REvil’s presence on RAMP—which is operated by the Groove threat actor collective—is a major endorsement of the forum as a place for illicit cyber activity. REvil’s registration is also particularly significant because of RAMP’s operating model, which marketed itself as a venue for ransomware discussions, recruitment, and advertisements after several high-tier forums banned ransomware.
Groove eschews the traditional “ransomware-as-a-service” model in favor of an collaborative ad hoc approach: the collective will deal with any potential partner—for the right price. Mainstay forums such as XSS and Exploit have attempted to moderate away risk by banning ransomware activity. Groove, however, has expressed no such scruples and called on small ransomware groups to post their victims on RAMP.
RAMP appeared in July 2021 as a rebranding of “Payload[.]bin”—formerly known as Babuk ransomware blog. After the RAMP forum was flooded with spam posts in August 2021, the moderators implemented a stringent verification process for membership.
The “REvil” profile on RAMP was created on October 6. In a post underneath its profile, REvil advertised their affiliate program in detail and claimed that their practices are anonymous and secure. REvil followed up their post with a claim that it will wait until November to begin actively recruiting affiliates on RAMP. Cybersecurity analysts note that this post follows a report that REvil was scamming their affiliates through a backdoor in their ransom code.
Threat actors operating on RAMP, however, expressed caution and contempt for REvil’s re-appearance. Some accused REvil of disappearing after a major security incident. The disappearance was never properly addressed, leading other threat actors to speculate that the accused REvil account is being run by law enforcement. REvil has denied the charge.
Prepare for Ransomware and Cyber Extortion with Flashpoint
Data and analysis for this article was discovered directly through analyst research in the Flashpoint platform. Request a demo or sign up for a free 90-day trial and see firsthand how Flashpoint cybersecurity technology can help your organization access critical information and insight into ransomware actors and their tactics, techniques, and procedures (TTPs).