{
	"id": "3ab95f12-699a-4617-bb61-9c259491c07c",
	"created_at": "2026-04-06T00:12:03.054996Z",
	"updated_at": "2026-04-10T13:12:47.259563Z",
	"deleted_at": null,
	"sha1_hash": "a8c5dcf184721ce4686b409cde494723ea9c916a",
	"title": "There's a Clear Line From the REvil Ransomware to Russia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 727658,
	"plain_text": "There's a Clear Line From the REvil Ransomware to Russia\r\nBy Jeremy Kirk\r\nArchived: 2026-04-05 16:17:00 UTC\r\nFraud Management \u0026 Cybercrime , Next-Generation Technologies \u0026 Secure Development , Ransomware\r\nTwo Companies Have REvil Data; They Don't Appear Eager to Help (jeremy_kirk) • July 13, 2021    \r\nA screenshot of a negotiating portal set up by the REvil ransomware group (Source:\r\nSecurityScorecard)\r\nThreat intelligence researchers are looking closely at REvil, the ransomware gang that infected up to 1,500\r\ncompanies in a single swoop. A look at part of the group's online infrastructure shows clear lines to Russian and\r\nU.K. service providers that, in theory, could help law enforcement agencies but don't appear eager to help.\r\nSee Also: Gen AI Stalls, Shadow AI Rises: A CISO Concern\r\nOn July 2, affiliates of REvil exploited several vulnerabilities in remote management software called the Virtual\r\nSystem Administrator from Miami-based Kaseya.\r\nThe vulnerabilities, combined with a series of clever maneuvers, allowed REvil to distribute ransomware to up to\r\n60 Kaseya customers, which are mostly managed service providers. Once on those MSPs' systems, REvil used\r\nVSA to push ransomware down to many of their customers, which included small businesses and municipalities\r\n(see: Kaseya: Up to 1,500 Organizations Hit in Ransomware Attack).\r\nhttps://www.bankinfosecurity.com/blogs/theres-clear-line-from-revil-ransomware-to-russia-p-3065\r\nPage 1 of 7\n\nThe damage may not be as bad it could be, as the attackers didn't delete Volume Shadow Copy, a Windows backup\r\nfeature. One MSP in the Netherlands, VelzArt, reported on its blog of successful efforts to restore its customers'\r\nsystems, albeit with very long days on the job.\r\nStill, some infected organizations have been negotiating ransom payments with REvil via the group's web-based\r\ncustomer service portals. And one of those portals has been left with fewer protections, which, in theory, could\r\nhelp law enforcement agencies.\r\nRansom Chat Portal\r\nTo start the ransom payment process, a victim goes to a website with their assigned user ID. Then, the victim\r\nenters a private key found in their ransom note, which brings up a chat dialog, the ransom amount being\r\ndemanded and the time left before the ransom amount rises due to nonpayment.\r\nREvil typically creates those customer service sites using the anonymity system Tor, which is short for The Onion\r\nRouter. With Tor, it's possible to set up a \"hidden\" website that masks the normal technical information. It's nearly\r\nimpossible to figure out where a hidden site is actually hosted.\r\nBut REvil has also set up a regular website, decoder[dot]re, for negotiations in case Tor is blocked in a particular\r\ncountry. That site, which is hosted in Russia, has been included in ransom notes found in REvil ransomware\r\nvictims since at least January, says Gene Yoo, chief executive officer of Los Angeles-based Resecurity, which\r\ninvestigates cybercrime and data breaches.\r\n\"It is obvious that the Russian government can’t not be aware about this malicious activity,\" Yoo says. \"These\r\ndetails add clear connections between REvil and Russia. Hopefully, it will be properly investigated to contain this\r\nmalicious activity damaging the business of thousands of companies globally.\"\r\nAfter meeting with President Joe Biden in mid-June, Russian President Vladimir Putin dismissed accusations that\r\nRussia's IP space was the source of major cyberattacks.\r\n\"It is not a valid technical comment,\" says Alex Holden, CTO of Hold Security, a Wisconsin-based threat\r\nintelligence company. \"Here we see another example of crime emanating from Russia.\"\r\nClearnet Mirror\r\nBecause it's on the clearnet, Resecurity as well as other researchers have been looking into decoder[dot]re's\r\nnetwork addresses and DNS records, which reveal several touch points that investigators could query.\r\nhttps://www.bankinfosecurity.com/blogs/theres-clear-line-from-revil-ransomware-to-russia-p-3065\r\nPage 2 of 7\n\nThe REvil gang gives instructions to victims on how to pay a ransom by visiting a negotiation site that is either a\r\nTor hidden service or a regular website, decoder[dot]re. (Source: Resecurity)\r\nOf course, domain name registration information can be faked and hosting can be purchased anonymously. But at\r\nthe same time, threat actors have been known to make glaring operational security mistakes. And even a slip-up in\r\nsomething as minor as reusing an email address can unravel an online mystery, as the investigation into the Silk\r\nRoad online market showed.\r\nDecoder[dot]re appears to have been purchased on Dec. 18, 2020, from TLD Registrar Solutions, which is based\r\nin the U.K., according to RiskIQ's Reputation Lookup database.\r\nPassive DNS records show the domain has been hosted since January by a Russian IT services company called\r\nJCS IOT, which develops internet of things solutions and offers cloud hosting services, virtualization and\r\ndedicated servers. JCS IOT also seems to be the parent IoT solutions company for a Russian hosting provider\r\ncalled FirstVDS. The two companies have the same legal entity as an owner and the same contact address.\r\nThe primary DNS record resolves to 82[.]146.34.4, which is an IP hosted in Russia that has been linked to various\r\nother REvil operations, writes Ryan Sherstobitoff, vice president of cyberthreat research and intelligence at\r\nSecurityScorecard, a New York-based cybersecurity company.\r\nSherstobitoff tells me the cybercriminals behind the server have invariably used fake names. But there could be\r\ninteresting information on the server, such as victims that the attackers have communicated with and possibly a\r\nJabber server they use for their own chats, he says.\r\n\"We're also looking at where these guys actually operate,\" Sherstobitoff says. \"These investigations are difficult\r\nfor sure.\"\r\nIn the past couple of years, REvil has used other clearnet domains as secondary channels for its negotiating\r\nportals, including decoder[dot]cc and decryptor[dot]top. Those domains, however, are no longer active, and it\r\nappears decoder[dot]re is the replacement.\r\nDecoder[dot]re is definitely affiliated with REvil, as it is a precise mirror of the Tor hidden portals used for\r\nnegotiations, Yoo says. Using available ransomware samples and information collected from the victims, it's\r\npossible to log into victims' negotiation pages. Entering a message in the chat on decoder[dot]re can then be seen\r\nwhen logging into the same victim's chat window via one of REvil's Tor hidden negotiating portals.\r\nhttps://www.bankinfosecurity.com/blogs/theres-clear-line-from-revil-ransomware-to-russia-p-3065\r\nPage 3 of 7\n\nA ransomware victim logs into decoder[dot]re using a user ID plus a private key that has been supplied in the\r\nransom note.\r\nJCS IOT has an email address dedicated for accepting abuse complaints. I emailed that address along with others\r\naffiliated with the company and the associated company, FirstVDS. But I have received no replies to the emails I\r\nsent in Russian and English.\r\nRegistrar Responds\r\nBut TLD Registrar Solutions, which sold the domain name registration, did respond. It immediately became clear,\r\nhowever, that the company isn’t in a hurry to revoke the registration.\r\nThe response to my email came from Lexie Kluss, who is on the support team of another domain name registrar,\r\nregistered in the Bahamas, called Internet.bs.\r\nhttps://www.bankinfosecurity.com/blogs/theres-clear-line-from-revil-ransomware-to-russia-p-3065\r\nPage 4 of 7\n\nhttps://www.bankinfosecurity.com/blogs/theres-clear-line-from-revil-ransomware-to-russia-p-3065\r\nPage 5 of 7\n\nPart of the site's Whois data\r\nAccording to Internet.bs' terms and conditions, TLD Registrar Solutions Ltd. is its parent company. TLD is listed\r\nas an accredited entity with the Internet Assigned Numbers Authority, the organization that oversees internet\r\naddressing and protocol issues.\r\nInternet.bs has popped up before as a registrar of interest. Near the peak of the rogue pharmaceutical spam\r\nproblems in 2012, Internet.bs was the registrar for nearly a third of thousands of rogue online pharmacies,\r\naccording to this piece by computer security journalist Brian Krebs.\r\nTo add another complicating layer, Internet.bs has been owned since 2014 by the CentralNic Group PLC, which is\r\nlisted on the London Stock Exchange. Tim Tsoriev, head of corporate communications for CentralNic, writes via\r\nemail that \"we are in contact with law enforcement, but we can't comment on active investigations.\"\r\nKluss writes that an investigation found it could take no action, that Internet.bs does not host the content, which is\r\nindeed true, and that the issue should be taken up with decoder[dot]re's hosting provider.\r\nIncredibly, Kluss also writes that the company would comply with a law enforcement order for revoking the\r\nregistration, but that \"we feel that this type of request is a temporary resolution and not reflective in value of the\r\nrisk associated with the act of interrupting the DNS for us as a registrar. By registering another domain with\r\nanother registrar, any registrant can reinstate their content within a matter of minutes.\"\r\nKluss continued: \"Due to the time and cost to Internet.bs to review all of the legal issues, we respectfully ask that\r\nyou provide evidence to show that you have attempted to address these issues with the above-mentioned hosting\r\nproviders without result before we re-investigate what actions, if any, we are able to take.\"\r\nTo paraphrase: Whomever is running the site will just go to another registrar, so why bother?\r\nWhat's further interesting is that the statement supplied to me appears to be boilerplate used before by the\r\ncompany. Internet.bs provided a similar kind of statement to Slate in 2017 when the publication was enquiring\r\nabout the registrar's role with BlackMattersUS[.]com. That website was believed to have been created by the\r\nInternet Research Agency, the notorious Russian content farm. The U.S. Justice Department alleged in a 2018\r\nindictment the organization interfered with the 2016 presidential election.\r\nTake It Offline?\r\nTaking decoder[dot]re offline would raise an issue.\r\nhttps://www.bankinfosecurity.com/blogs/theres-clear-line-from-revil-ransomware-to-russia-p-3065\r\nPage 6 of 7\n\nThe portal is likely being used by organizations to communicate with their attackers. Although whether to pay\r\nransoms is a contentious point of debate, it wouldn't help to make it more difficult for organizations already\r\nstruggling with an infection to not have all options available, including paying for a decryption tool if it comes\r\ndown to that.\r\nThe U.K. registrar should be easy for law enforcement officials to query. The Russian hosting company, JCS IOT,\r\nis obviously harder to probe. As Sherstobitoff says, those involved in the attack are using Russia as a safe haven.\r\nThe U.S. is pressing Russia for more cooperation in cracking down on ransomware criminals the U.S. alleges the\r\ncountry harbors. Pulling the threads around the decoder[dot]re domain might be a good place for the two countries\r\nto start cooperating in earnest - at least in theory.\r\nSource: https://www.bankinfosecurity.com/blogs/theres-clear-line-from-revil-ransomware-to-russia-p-3065\r\nhttps://www.bankinfosecurity.com/blogs/theres-clear-line-from-revil-ransomware-to-russia-p-3065\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bankinfosecurity.com/blogs/theres-clear-line-from-revil-ransomware-to-russia-p-3065"
	],
	"report_names": [
		"theres-clear-line-from-revil-ransomware-to-russia-p-3065"
	],
	"threat_actors": [],
	"ts_created_at": 1775434323,
	"ts_updated_at": 1775826767,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a8c5dcf184721ce4686b409cde494723ea9c916a.pdf",
		"text": "https://archive.orkl.eu/a8c5dcf184721ce4686b409cde494723ea9c916a.txt",
		"img": "https://archive.orkl.eu/a8c5dcf184721ce4686b409cde494723ea9c916a.jpg"
	}
}