The REvil gang returns with a new TOR network for new attack campaigns

REvil Gang TOR Network Cyberattack Campaigns Ransomware Darkweb RuTOR

A new leak site allegedly owned by the REvil ransomware gang has emerged on the threat landscape after being inactive for a few months. According to reports, the gang’s new TOR network redirects its visitors to a new ransomware operation that seems to have already begun in December 2021.

Furthermore, the new leak site exposes an extensive list of the notorious threat group’s past victims from their old ransomware attacks.

REvil’s new TOR network was discovered by security researchers being promoted in a dark web forum marketplace called RuTOR, where most Russian-speaking operators reside. The leak site is hosted in a new domain but will redirect visitors to the original page that the threat group utilised when they were still active.

Users will see details about the gang’s conditions with their affiliates on the site, including getting an upgraded version of the REvil ransomware with new ransom profit condition changes. The leak site also lists about 26 pages of the gang’s previous victims.

Security researchers first noticed the gang’s reemergence in mid-December 2021 but got no evidence if they have an actual association with it. However, when April came, the leak site got more popular among visitors, although experts are still clueless whether who the operators behind it are.


The new TOR network displays blog and payment site pages run via different servers.


While researchers are still probing the new TOR network for who possibly is administering it, they have observed that while REvil’s old leak site was seized by authorities in November last year, it displayed a page called ‘Revil is bad’ and a login form through TOR gateways.

It also appeared that the old site was also being accessed by other entities aside from the authorities, allowing them to modify the [.]Onion site. Some users from hacking forums debate if this new ransomware operation is either a fraud or the reemergence of the REvil gang in the threat landscape to regain their reputation.

The REvil ransomware group took itself into the threat spotlight in April 2019 to continue the ransomware-as-a-service (RaaS) model GandCrab operation. Afterwards, the gang made noise by attacking several local government units in Texas and acquired over $2.5 million in ransomware profits. They were also the mind behind the massive Kaseya supply-chain attack but were disrupted by the authorities, which led to their eventual downfall.

About the author

Leave a Reply