REvil ransomware’s servers in the Tor network are active again after months of inactivity. At present, these servers are redirecting users to a new operation that is believed to have started in mid-December 2021.

Tor sites redirection

Recently, two security researchers noticed the new REvil leak site being advertised on a forum called RuTOR. It was noted that the new site was hosted on a different domain, however, the traffic was redirected to the original Tor sites used by REvil when it was active.
  • One of the researchers observed the current REvil-related leak site active between April 5 and April 10 with no content.
  • After a week, the new site was populated, sporting a large set of victims from REvil attacks.
  • The site is showing 26 pages of victims—most of them from older REvil attacks—with two new operations, one of them being Oil India.

Moreover, the new leak site provides details on the conditions for affiliates, who are claimed to receive an improved version of the ransomware and a split of 80/20 for affiliates collecting a ransom.

More insights

Researchers observed that the blog and payment sites for the group are now up and running on different servers.
  • The new blog drops a cookie DEADBEEF, a computer term that was used as a file marker by the TeslaCrypt group. However, a connection to any ransomware threat actor is not established yet.
  • Another observation was the source for the RSS feed that disclosed the string Corp Leaks, which was used by the Nefilim ransomware group.


The mystery of the redirects, recent and from last year hints that someone other than law enforcement has access to the Tor private keys allowing them to make changes to the “.onion” site. On a Russian-speaking hacker forum, users are suggesting that the new operation is a scam, a honeypot, or a legit continuation of the old REvil crime business that lost its reputation.


The recent revival of Tor servers suggests a potential attempt from the REvil ransomware group to gain ground again in the cybercrime landscape and restore its lost reputation. It shows that ransomware gangs can live many lives through rebranding, forks, and revival of past threats. Thus, organizations should always be prepared with adequate security measures to stay protected. 

Cyware Publisher