Exabeam urges caution following REvil ransomware group news

Cybersecurity company Exabeam is urging businesses to be cautious following the news that the operators behind the REvil ransomware group have resurfaced after closing shop following the widespread attack on Kaseya that caused thousands of victims on July 4.

Security researchers have said all of the dark web sites for the prolific ransomware group, including the payment site, the group's public site, the 'helpdesk' chat and their negotiation portal, went offline on July 13 after the Kaseya attack drew worldwide condemnation and tough threats from US lawmakers.  

The REvil/Sodinokibi variant has been used by countless affiliates to extort money from companies as diverse as now-defunct Travelex, Jack Daniels-maker Brown-Forman and meat processing giant JBS. Last year it claimed to have amassed a fortune of $100m through its efforts.

Exabeam's Chief Security Strategist, Steve Moore, says: "REvil is already very likely a reincarnation of a previous group. After all, adversaries' talent and confidence is stronger after prior successes. I encourage organisations to think about this two-fold. 

"First, they undoubtedly have their next software supply chain compromised. The technique began in espionage and has now been borrowed for criminal activity; this campaign hasn't started yet – but will very soon.

"On the other hand, defenders should focus more on the missed intrusion and poor recovery options and less on ransomware. Ransomware is the product of being unable to detect and disrupt the cycle of compromise – period.  

"Directly, Revil took time to refit, retool, and take a bit of a holiday over the summer.  The fact their sites are back online means they are, again, ready for business and have targets in mind.”