REvil Ransomware Group is Back as "Happy Blog" Returns

An infamous ransomware group that appeared to shutter its operations following a major supply chain attack on IT software provider Kaseya seems to be back in business.

The REvil/Sodinokibi variant has been used by countless affiliates to extort money from companies as diverse as now-defunct Travelex, Jack Daniels-maker Brown-Forman and meat processing giant JBS.

Last year it claimed to have amassed a fortune of $100m through its efforts.

However, widespread condemnation following the July Kaseya attack, which impacted thousands of downstream customers, including schools, appeared to have forced the group offline. The attack itself garnered attention from the very top level of the US government, with President Biden ordering his intelligence agencies to investigate.

Some speculated that it was simply lying low and would likely return with different branding.

However, that doesn’t appear to be the case, with the group’s “Happy Blog” site now back up and running, according to Recorded Future. The site is where it publishes data exfiltrated from its victims in order to force them to pay up.

“At the time of writing, the website is still listing the same victims it listed at the time of its shutdown on July 13,” the threat intelligence firm claimed.

“In addition, REvil’s ‘payment portal,’ where victims are told to go and negotiate with the REvil gang, has also been restored at the same old dark web .onion URL.”

Some speculated back in July that REvil threat actors, thought to be located within Russia, had been told to tone down their activity by the Kremlin after high-level geopolitical meetings with Washington.

The White House has issued repeated statements warning that it reserves the right to go after cyber-criminals wherever they’re located if governments purportedly harboring them refuse to take action. 

If you liked this article, be sure to check out these upcoming Online Summit sessions:

What’s Hot on Infosecurity Magazine?