Two months after it vanished due to high-level political intervention, suspected Russian ransomware gang REvil could make more money this year after the cybercriminal group reopened for business on the dark web.

REvil (also known as Sodinokibi) was first spotted back online in early September, with payment and data leak sites brought back online and suspended ransom demands reactivated – confirming that it isn’t quite done extorting money from major companies.

The gang’s re-emergence comes despite this month’s release of a new tool capable of decrypting files locked by REvil ransomware from when it first emerged in 2019, through to its disappearance on July 13 – days after its damaging Kaseya attack affected over 1,500 companies, driving US President Joe Biden to demand Russian President Vladimir Putin clamp down on the gang.

REvil’s sudden disappearance left its victims with no way to negotiate for recovery of their files – and while Kaseya released a decryptor for its victims weeks later, Bitdefender’s newly-released universal decryptor also works against other encryption methods used by the gang.

Developed using information supplied by what the Romanian security firm has only described as “a trusted law enforcement partner” currently investigating the gang’s activities, the decryption tool contains a ‘master key’ that allows it to unscramble files encrypted by REvil ransomware.

“Both parties believe it is important to release the universal decryptor before the investigation is completed to help as many victims as possible,” the firm said in a blog post noting that “hundreds of victims and counting” have already used the tool to recover their files.

Bitdefender’s decryption tool was made available online and instructions walk systems administrators through the recovery process.

Ransomware’s biggest earners?

Even as the new tool was released, Bitdefender’s security team remained fully cognisant that the cybercriminal gang was reconstituting and would likely have changed its methods once more – posing a renewed threat to the world’s businesses moving forward.

“We believe new REvil attacks are imminent after the ransomware gang’s servers and supporting infrastructure recently came back online after a two-month hiatus,” Bitdefender wrote, urging organisations “to be on high alert and to take necessary precautions”.

Just why REvil vanished in July is still the subject of speculation; Putin’s crackdown has been mentioned, but it’s just as likely the gang decided to take a break after collecting millions in ransom payments from a string of victims that also included fashion label FCUK, nuclear contractor Sol Oriens, and French electronics manufacturer Asteelflash.

The gang famously demanded $68m ($US50m) after stealing plans for unreleased products from Apple supplier Quanta Computer, and compromised meatworks JBS in a ransomware attack that shut down facilities in Australia and the United States until the company paid a $15m ($US11m) ransom.

REvil’s penchant for massive ransoms means it is likely to even out-earn big-name stars this year.

Yet its return is likely to create new headaches for law-enforcement agencies, for whom ransomware gangs are consuming an increasing portion of law enforcement agencies’ time “because that’s what’s impacting our victims,” Douglas Domin, head of the FBI’s Criminal Computer Intrusion Squad, said during a recent webinar.

“Nowadays, if you’re a criminal hacker and you’re looking to do so as a means of income, ransomware is absolutely something that you are going to utilise,” he said, noting that cybercriminals have been so active that some victims report having their files locked and “just kind of waiting to be notified that there’s a problem.”

Intense scrutiny of REvil’s tactics has fuelled a range of advice about how to avoid getting hit by its ransomware – and with Australian companies reporting a new cyber attack every 8 minutes, it’s important for companies to be more proactive in defending themselves.

To avoid becoming the ransomware gang’s next victim, Domin said, “what should really be focused on is that there’s a whole timeline of events that occur before the ransomware was deployed; the vector to get into the network differs across not only variants, but within the same variant of ransomware.”

“Don’t question just once,” an analysis of REvil’s tactics by Palo Alto Networks threat-research arm Unit 42 advises. “Think like the attacker. You might be able to stop your organisation from being the next victim and escape being in the headlines for the wrong reasons.”