The ransomware group REvil (aka Sodinokibi) has been one of the most significant characters in the evolving ransomware drama that has been playing out over the past few years. The REvil ransomware variant was first detected in April 2019, and although the group initially focused on targeting Asia-based entities, the ransomware operators and associated affiliates are now indiscriminate in their choice of victim and sector. Nowadays, REvil’s bold and brazen attacks, such as targeting the Kaseya desktop management software and the meat processing organization JBS, mean that the group is rarely out of the news. REvil has experienced its fair share of controversy over the years, with everything from accusations of failing to pay those involved in its partnership program to claims that it effectively cut out affiliates and shared decryption keys with victims. We’ve also seen the group disappear without a trace, only to reemerge a few months later and carry on like nothing has happened. 

The latest development in REvil’s story involves a 17 Oct 2021 post from an alleged representative of the REvil (aka Sodinokibi) ransomware group on the prominent Russian-language cybercriminal forum XSS.  The user explained that REvil went offline at the beginning of July 2021 after the group’s former forum representative disappeared without explanation. The group later resumed work, assuming that this forum representative had died. However, on 17 Oct 2021 an unknown individual accessed parts of the backend of REvil website’s landing page and blog, leading the new forum representative to conclude that a third party has access to website backups and Onion service keys. It was unclear from the forum content whether the group was considering the possibility that this unknown third party was in fact the former forum representative, very much alive and kicking. The representative also confirmed that REvil’s servers showed no sign of compromise. They advised existing affiliate program participants to contact them via Tox to obtain keys for their existing ransomware campaigns, then announced that the group would now be going “offline”. 

Forum post announcing REvil’s disappearance and hijacking of the group’s domains
Forum post announcing REvil’s disappearance and hijacking of the group’s domains

The forum representative subsequently added more posts to the thread with further updates about the situation. They confirmed that the sites’ admin panels had not been hacked, that REvil’s domains had been “regenerated”, and that the group was now awaiting for the old domains to be defaced. The representative later alleged that they had been personally targeted during the attack, claiming that the unknown third party had deleted the path to the representative’s “hidden service in the torrc file”, while other group members’ hidden services remained unaffected. In response to another user’s question about who would work with REvil after this latest series of problems, the representative replied, “Judging by everything, I’ll be working on my own”. 

Reaction to the news from other forum members ranged from largely unsympathetic to bordering on conspiracy theory. The main area of debate was whether the group would rebrand for a third time, with many questioning whether the cybercriminal community would still trust REvil-related schemes. Opinion appeared split on whether REvil’s reputation would ensure the group’s considered success, with many pointing out that all publicity is good publicity, and predicting that the promise of great profits would still entice affiliates to work with the group in the future. One theory doing the rounds posited that a disgruntled former team member, combined with poor password hygiene, could have resulted in the attack. Many users questioned the fact that this topic was being discussed on the site at all, pointing to XSS’s May 2021 ban on ransomware-related content

The XSS representative for the LockBit ransomware group claimed to have predicted this turn of events, providing links to their “prophetic” forum posts. They questioned the REvil representative’s intention to leave the forum, opining “if the domains have been hijacked, this is 100% proof that someone had a root on the server, which means that your database has been leaked too”. The LockBit representative even put forward the idea the new REvil forum account may in fact be operated by law enforcement. 

What’s next in REvil’s ongoing tale is hard to predict, but it’s unlikely that we’ve seen the last of the group. The tone and wording of the REvil representative’s forum posts suggested that the group’s disappearance from the forum and halting of operations is a temporary pause, rather than a permanent move. History may well repeat itself, and we could see the group return unexpectedly in the same guise or with a different name. Yes, there are indications that REvil’s incarnations may be becoming marginally less effective each time – we recently saw the group advertising for affiliates on a 90/10 profit-splitting basis, which is more than the group has shared in previous years. Despite this, and the many controversies that REvil has been involved in that could have eroded all trust in and willingness to cooperate with the group, it seems that the group’s infamy and the promise of high profits are simply too much of a lure for many cybercriminals, who have returned to work with the group time and time again.