REvil, a so-called “ransomware-as-a-service” provider blamed for some of the year’s biggest cyberattacks, has reemerged online nearly two months since abruptly vanishing from the web. “Happy Blog,” a darknet website run by REvil, has recently become reachable once again, several keen observers noted on social media Tuesday. It remained accessible as of Wednesday afternoon.
REvil caused extensive damage earlier in 2020 by licensing its custom ransomware to cybercriminals who then successfully deployed it on victims including meat giant JBS USA and software firm Kaseya. In several instances, the “Happy Blog” published data stolen from victims of the ransomware attacks and would threaten to leak more unless payment was made through a custom online portal.
REvil’s online presence suddenly went dark on July 13, however, sparking rumors at the time about whether those involved might have ceased operations amid mounting pressure from the U.S. and abroad. U.S. officials have said they believe REvil is based in Russia, and the White House repeatedly singled out the groups in the weeks before its “Happy Blog” websites and payment portal abruptly vanished.
But while the Biden administration touted the disappearance of REvil nearly two months ago, the White House would not tell reporters whether the U.S. government was involved in any way. Days after REvil vanished in July, a senior White House official called it a “very positive” development, adding: “This is a group that has brought tremendous negative impact to victims around the world.”
Both the darknet version of the “Happy Blog” and REvil’s payment portal have since become operational again, Emsisoft security researcher Bret Callow said Wednesday on social media. “It’s possible they’ve brought the sites back online simply to enable them to collect payment from any previous victims which have yet to recover their data,” Mr. Callow speculated on Twitter.
So-called “hidden service” sites on the darknet, such as the “Happy Blog,” are meant to be visited using special browsing software. A surface web version of the blog that vanished in July remains offline.
