DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

“REvil” reappears on forum — but not “Unknown?”

Posted on September 10, 2021 by Dissent

As previously noted by this site and others, REvil threat actors appear to have re-emerged after disappearing in July.. Their dedicated leak site and blog are at the same Tor address as previously, but is it “Unknown” who is back, or not?

A new account calling itself “REvil” registered on a popular Russian-language forum this week where REvil’s Unknown had previously had a presence until ransomware ads or listings were banned due to too much attention from law enforcement.

Responding to comments about their apparent reappearnce, REvil commented (machine translation):

As UNKWN (aka 8800) disappeared, we (the coders) backed up and turned off all the servers. They thought he was accepted. We tried to search, but to no avail. We waited – he didn’t show up and we got everything from the backups.

They added:

After the UNKWN disappeared, the hoster wrote that the clearnet servers were compromised and he deleted them immediately. We shut down the main server with the keys normally shortly after.

Responding to speculation as to how the general decryptor key for Kaseya was released or leaked, “REvil” wrote:

As for Kasei’s key, allegedly leaked by law enforcement agencies, it “leaked” due to an employee’s error during the generation of the decryptor.

The user calling themself LockBitSupp asked REvil to provide more technical detail as to how such a leak could have occurred by error, to which REvil responded:

Our encryption is implemented in such a way that it is possible to generate a decryptor for the entire grid, or it is possible for each machine. Then, in the process of work, it was necessary to generate 20-500 decryptors for each victim (the grids endured at the kasei were of different sizes), and he apparently misclicked and generated a universal one for the entire grid and issued one universal decryptor along with a bunch of those that were for 1 machine … So they shit.

LockBitSupport remained skeptical, replying:

1) why did someone miss clicked and gave out a Kasei key when your site was already disabled for a long time? never miss clicked on anyone, and then when the payment of 10kk + miss clicked

2) the darks had the same story that after a large payment, they were immediately hacked immediately, without even having time to share the money with the advertisers, when it comes to the amount of more than 10kk hacks occur and miss clicks for some reason

3) it turns out that some wonderful coincidence happened, miss click while the hoster wrote that the clearnet servers were compromised and he deleted them immediately

REvil replied to the first part:

mumbled earlier. apparently when all the decryptors were collected, they found that one of them had a universal key. I understand where you are, but the payments were more than 10kk and we know about them, no one threw anyone. With an advertiser in touch, we don’t hide our joint

(This is where a better translator might help — neither Google nor Yandex provide really understandable English versions).

But since ransomware advertising has been banned on that forum as well as another popular Russian-language forum, we may not see much more from REvil. Interestingly, however, when REvil (“the coders”) reappeared, they were immediately hit with an arbitration complaint over previous work that had allegedly not been paid when they disappeared. That complaint was resolved quickly, so maybe this new “REvil” does have access to full backups and more. Time will tell.

Related posts:

  • SCOOP: UnitingCare paid hundreds of thousands of dollars to REvil for decryption key and deletion of files
  • Operation Anti Security Breakdown and targets, the full time line
  • Confused about the drama with the new BreachForums? Reading this will either help you or make your head spin.
  • Arabic News site Durar Shamiya Hacked, 50,000 Accounts Leaked
Category: Breach Incidents

Post navigation

← HBP Financial Services Group notice of breach impacting Pathology Consultants of New London, PC
Th: Hospital hack prompts call for cooperation →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.