Back in January 2022 we were writing that REvil ransomware servers were seized by FBI and some of cyber criminals behind it have been arrested. However, less than four months later ransomware’s Tor page, “Happy blog”, came back to life.
More surprisingly, REvil posted information about new victims: Visotec Group and Oil-india.com.
It’s unclear whether original REvil operators control the website, is it a new FBI operation (?), or did third party criminals gain control over it?
In any case, it is remarkable that ransomware blog page propose cooperation. Below on the screenshot we can see a message in Russian left by supposedly cyber criminals.
Message says malware has been improved and is ready to be sold in a franchise manner, with 80/20 gain to a client and the ransomware creators. Cyber criminals agree to work only with a “garant” and a deposit of 1 BTC beforehand.
Whether it is the original REvil or it’s a third party hackers, we encourage you to stay vigilant to phishing, do not disclose details of your VPN if you use any and stay cyber secured!