In mid-July of this year, the criminals surrounding the ransomware “REvil”, also known as Sodinokibi, disappeared from the scene. When their so-called “Happy Blog” with leaked data from extortion victims surprisingly went online again last week, this had sparked speculation about a deliberate move by the law enforcement authorities involved.
In the meantime it has become clear that part of the REvil server infrastructure has actually been compromised by an unknown party – and that a member of the ransomware gang has disappeared under unexplained circumstances. However, this does not prevent the rest of the gang from resuming their foray with new malware variants and data leaks in the “Happy Blog”.
Circumstances of withdrawal in July
Instead of the member “Unknown”, who otherwise appeared as the mouthpiece of the REvil gang in forums and to the press, another member wrote new posts in an underground forum under the simple pseudonym REvil at the end of last week. Screenshots of the conversation were taken published by Bleeping Computer, among others. In Russian, the author explains that “Unknown” (probably in July of this year, when exactly is not mentioned) disappeared under unexplained circumstances.
After waiting in vain for a long time, the developers of the REvil malicious code finally believed that Unknown had been arrested. In addition, their host informed them that the gang’s Clearnet servers, on which the REvil payment infrastructure, among other things, ran, had been “compromised” – by whom, the article does not reveal. In any case, the hoster deleted the content immediately. As a result, the developers of the REvil malicious code would have temporarily switched off the rest of the darknet server infrastructure following a backup.
REvil developers apparently leaked Masterkey themselves
The author of the articles also explains how the US company Kaseya came into possession of the REvil master key. The company has a translation of its explanations Flashpoint in a blog post released. “Our encryption process allows us to generate either a universal decryption key or individual keys for each system,” it says. In the course of a large number of keys to be generated, one of the developers simply clicked himself off and generated a universal key, which he then inadvertently sent along with some individual keys. “That’s how we shit ourselves,” concludes Flashpoint’s translation.
Ultimately, REvil’s comeback could be an elaborate strategy by investigators trying to gain the trust of ransomware affiliates and other bad guys. Otherwise, the serenity with which the REvil gang is now returning to day-to-day business will be surprising: the VirusTotal malware inspection service already has a new, REvil / Sodinokibi variant compiled on September 4th popped up. In addition, a new entry with company data has been added to the “Happy Blog”.