Following the news that the operators behind the REvil ransomware group have resurfaced after allegedly closing shop following the widespread attack on Kaseya, please see below comments from security experts.
<p><strong>Why would REvil be back online?</strong><br />REvil, apart from an extortion group, could also be considered a brand name. It is easier to pay ransoms to well-known groups than newcomers.</p>
<p><strong>Should we expect more attacks?</strong><br />Of course. Unless it is a hoax onion site, and this could be validated, more attacks should be expected. We believe that the people behind the attack on Kaseya are not standing still.</p>
<p><strong>Does the fact they are using the same infrastructure as previously mean the attackers could be easier to catch? Why would they make such a rookie mistake?</strong><br />There are many layers to hide the identity of the origin. Especially the use of the same group name looks like a thought-through and confident move.</p>
<p>Hacker groups disappearing when things heat up is something we have seen frequently in the past, with cases like Emotet or Anonymous. When groups do disappear, it is generally to buy some time and take the limelight off them from law enforcement agencies, and it rarely means they are disappearing for good. On the assumption that this is indeed the same threat group operating the infrastructure, we would expect to see a new ransomware variant from the group in the near future, but with a much more carefully selected victims to keep the media and Government attention off them as much as possible.</p>
<p><strong>Why would REvil be back online?</strong><br />REvil, apart from an extortion group, could also be considered a brand name. It is easier to pay ransoms to well-known groups than newcomers.</p>
<p><strong>Should we expect more attacks?</strong><br />Of course. Unless it is a hoax onion site, and this could be validated, more attacks should be expected. We believe that the people behind the attack on Kaseya are not standing still.</p>
<p><strong>Does the fact they are using the same infrastructure as previously mean the attackers could be easier to catch? Why would they make such a rookie mistake?</strong><br />There are many layers to hide the identity of the origin. Especially the use of the same group name looks like a thought-through and confident move.</p>
<p>Hacker groups disappearing when things heat up is something we have seen frequently in the past, with cases like Emotet or Anonymous. When groups do disappear, it is generally to buy some time and take the limelight off them from law enforcement agencies, and it rarely means they are disappearing for good. On the assumption that this is indeed the same threat group operating the infrastructure, we would expect to see a new ransomware variant from the group in the near future, but with a much more carefully selected victims to keep the media and Government attention off them as much as possible.</p>