Security News > 2022 > April > REvil's TOR sites come alive to redirect to new ransomware operation
REvil ransomware's servers in the TOR network are back up after months of inactivity and redirect to a new operation that appears to have started since at least mid-December last year.
It is unclear who is behind the new REvil-connected operation but the new leak site lists a large catalog of victims from past REvil attacks plus two new ones.
The new site is hosted on a different domain but leads to the original one REvil used when active, BleepingComputer confirmed today, while the two researchers captured the redirect.
The site lists 26 pages of victims, most of them from old REvil attacks, and just the last two appear to be related to the new operation.
A connection to a ransomware threat actor is not possible at this time as samples of the new REvil-based payload have to be analyzed and whoever is behind the new leak site has not claimed any name or affiliation, yet.
On a popular Russian-speaking hacker forum, users are speculating between the new operation being a scam, a honeypot, or a legit continuation of the old REvil business that lost its reputation and has a lot to do to earn it back.