{ "id": "b556e7db-6176-49c2-bf0f-97c953df05f9", "created_at": "2026-04-06T00:08:16.181669Z", "updated_at": "2026-04-10T03:21:10.264254Z", "deleted_at": null, "sha1_hash": "9487d58370eaa0ac62de2757432f566e79b89a1a", "title": "REvil's TOR sites come alive to redirect to new ransomware operation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2523777, "plain_text": "REvil's TOR sites come alive to redirect to new ransomware operation\r\nBy Ionut Ilascu\r\nPublished: 2022-04-20 · Archived: 2026-04-05 19:14:32 UTC\r\nREvil ransomware’s servers in the TOR network are back up after months of inactivity and are now redirecting to a new\r\noperation that launched recently.\r\nIt is unclear who is behind the new REvil-connected operation, but the new leak site lists a large catalog of victims from past\r\nREvil attacks, plus two new ones.\r\nNew RaaS in the making\r\nA few days ago, security researchers pancak3 and Soufiane Tahiri noticed a new ransomware operation promoted on\r\nRuTOR, a forum marketplace focusing on Russian-speaking regions.\r\nhttps://www.bleepingcomputer.com/news/security/revils-tor-sites-come-alive-to-redirect-to-new-ransomware-operation/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/revils-tor-sites-come-alive-to-redirect-to-new-ransomware-operation/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThe promotion included a link to a new Tor data leak site that contained information on how to join the group as an affiliate,\r\nclaiming to be \"The same proven (but improved) software.\"\r\nThis leak site, shown below, provides details on how to become an affiliate and who allegedly gets an improved version of\r\nREvil ransomware and an 80/20 split for affiliates collecting a ransom.\r\nsource: BleepingComputer\r\nSecurity researcher MalwareHunterTeam observed this same leak site between April 5 and April 10 but with no content.\r\nHowever, a few days later, the researcher saw it become populated with a mixture of old REvil victims' data and some new\r\nvictims.\r\nThe site lists 26 pages of victims, most of them from old REvil attacks, and just the last two appear to be related to the new\r\noperation. One of them is Oil India.\r\nToday, we received proof that this new operation is tied to REvil, as REvil's original Tor sites are now redirecting to this new\r\noperation's data leak site, as illustrated by security researchers and independently confirmed by BleepingComputer.\r\nAnother observation from MalwareHunterTeam is that the source for the new operation's RSS feed shows the string Corp\r\nLeaks, which has been used by the now-defunct Nefilim ransomware gang [1, 2].\r\nsource: BleepingComputer\r\nThe new operation's blog and payment sites are up and running on different servers.\r\nLooking at the former, BleepingComputer noticed that the new ransomware operation's blog drops a cookie named\r\nDEADBEEF, a computer term that was also used as a filemarker by the TeslaCrypt ransomware gang.\r\nhttps://www.bleepingcomputer.com/news/security/revils-tor-sites-come-alive-to-redirect-to-new-ransomware-operation/\r\nPage 3 of 5\n\nsource: BleepingComputer\r\nOther than the redirects, a connection to a ransomware threat actor is impossible as samples of the new REvil-based payload\r\nhave to be analyzed, and whoever is behind the new leak site has not claimed any name or affiliation yet.\r\nTo make it more confusing, multiple ransomware operations now use patched REvil encryptors or are linked to the original\r\ngroup in some manner.\r\nMalwareHunterTeam tweeted in January that another ransomware gang launched in December 2021 named Ransom Cartel,\r\nalso related to REvil's encryptor.\r\nIn addition to Ransom Cartel, another group known as LV has been patching REvil's encryptor for some time to encrypt\r\nvictims using their own encryption keys.\r\nMysterious case of redirects\r\nWhile under the control of the FBI in November 2021, REvil's data leak and payment sites began showing a page titled\r\n\"REvil is bad\" and a login form. These pages were initially only shown when accessing the page via TOR gateways, but later\r\nat the .onion URL as well.\r\nThe mystery of the recent redirects deepens, as this suggests that someone other than law enforcement has access to the TOR\r\nprivate keys that allowed them to make changes for the .Onion site.\r\nOn a popular Russian-speaking hacker forum, users are speculating between the new operation being a scam, a honeypot, or\r\na legit continuation of the old REvil business that lost its reputation and has a lot to do to earn it back.\r\nREvil's fall\r\nREvil ransomware's long run started in April 2019 as a continuation of the GandCrab operation, the first that established the\r\nransomware-as-a-service (RaaS) model.\r\nIn August 2019, the gang hit multiple local administrations in Texas and demanded a collective ransom of $2.5 million - the\r\nhighest at that time.\r\nThe group is responsible for the Kaseya supply-chain attack that affected about 1,500 businesses. However, this massive\r\nattack also led to their demise as law enforcement worldwide intensified their collaboration to bring the gang down.\r\nSoon after hitting Kaseya, the gang took a two-month break, not knowing that law enforcement agencies had breached their\r\nservers. When REvil restarted the operation, they restored systems from backups, oblivious of the compromise.\r\nIn mid-January, Russia announced that it shut down REvil after identifying all of the operation's members and arrested 14\r\nindividuals.\r\n“As a result of the joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal community\r\nceased to exist, the information infrastructure used for criminal purposes was neutralized” Russia’s Federal Security\r\nService\r\nIn an interview with Rossiyskaya Gazeta, the Deputy Secretary of the Security Council of the Russian Federation, Oleg\r\nKhramov, said that the Russian law enforcement agency started its investigation into REvil after the name 'Puzyrevsky' and\r\nhttps://www.bleepingcomputer.com/news/security/revils-tor-sites-come-alive-to-redirect-to-new-ransomware-operation/\r\nPage 4 of 5\n\nan IP address was shared by the United States.\r\nAt the moment, the U.S. has stopped collaborating with Russia on cybersecurity threats - attacks on critical infrastructure in\r\nparticular, as a direct result of Russia invading Ukraine.\r\nUpdate (April 21): Article updated to make it clear that the ransomware gang redirecting from the original REvil leak site\r\nto the new one appears to be different from other groups that used a patched REvil payload in the past, and that the redirect\r\nwas observed on April 20.\r\nUpdate (10/15/22): Parts of article rewritten to make it clearer.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/revils-tor-sites-come-alive-to-redirect-to-new-ransomware-operation/\r\nhttps://www.bleepingcomputer.com/news/security/revils-tor-sites-come-alive-to-redirect-to-new-ransomware-operation/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/revils-tor-sites-come-alive-to-redirect-to-new-ransomware-operation/" ], "report_names": [ "revils-tor-sites-come-alive-to-redirect-to-new-ransomware-operation" ], "threat_actors": [], "ts_created_at": 1775434096, "ts_updated_at": 1775791270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9487d58370eaa0ac62de2757432f566e79b89a1a.pdf", "text": "https://archive.orkl.eu/9487d58370eaa0ac62de2757432f566e79b89a1a.txt", "img": "https://archive.orkl.eu/9487d58370eaa0ac62de2757432f566e79b89a1a.jpg" } }