The REvil ransomware group, silent since the Russian FSB arrested 14 members and seized assets in late January, appears to have returned.
The group's old victim leaks site now forwards to a new site, featuring old and new victims.
"We obviously can't say for sure that this is [the original] REvil back," said Brett Callow, a ransomware expert with Emsisoft. "But that would be the most logical assumption."
Of particular note among the new victims is Oil India, a state-run oil interest that was hit by ransomware on April 10 by actors asking for $75 million in ransom.
The new site also features a recruitment ad for new affiliates.
The new advertisement touts the same proven ransomware with new improvements.
"It's very hard to say [if REvil will struggle to get its affiliates back.]. I actually thought Conti would struggle after it was doxxed," Callow said.
There was "absolutely nothing" in terms of chatter that suggested REvil was planning a return, said Callow. REvil is best known for affiliates holding JBS hostage in 2021 as well as being the ransomware used in the Kaseya supply chain incident.
Callow said he was unsure why the group changed leaking sites, though options include security concerns after the arrests and a general sprucing up of the product.