REvil’s TOR Sites Are Back With New Ransomware

Discovered in April 2019, the REvil/Sodinokibi ransomware (AKA Sodin) is a highly evasive ransomware that encrypts files and deletes the ransom request message after infection. The message informs the victim that a bitcoin ransom must be paid and that if the ransom is not paid on time, the demand will double.

REvil is a perfect example of Ransomware-as-a-Service, a cybercrime that involves two groups teaming up for the hack: the code authors who develop the ransomware and the affiliates that spread it and collect the ransom. This aspect makes Sodinokibi ransomware dangerous for companies of all sizes. Also known as Sodin or REvil, Sodinokibi shortly became the 4th most distributed ransomware in the world, targeting mostly American and European companies.

What Happened?

The REvil ransomware’s servers on the TOR network have returned to service after months of inactivity, redirecting to a new operation that seems to have begun at least as recently as mid-December last year.

The new leak site has a long list of victims from previous REvil assaults, as well as two new victims. It is unknown who is behind the new REvil-connected operation.

On RuTOR, a forum marketplace that focuses on Russian-speaking countries, security researchers pancak3 and Soufiane

Read More: