REvil appears to be making a comeback. Security experts discovered a dark web leak page that shows similarities to the methods of the disbanded hacking group.

Security researchers pancak3 and Soufiane Tahiri found a dark web blog used to publish new and older REvil attacks. The blog calls on individuals to take part in REvil or become an affiliate. Affiliates are promised a 20 percent share of the ransoms collected through attacks.

The resurrection of REvil would be extraordinary, as the hackers were taken offline at the beginning of this year. The Russian intelligence service FSB claimed the arrest of several leading members. Among other things, REvil was responsible for the notorious supply-chain ransomware attack on software supplier Kaseya.

The researchers indicate that the ‘new’ REvil already claimed its first victim: Oil India, an Indian oil company. The criminal group is threatening to publish private contracts and customer information if the organization fails to pay up a ransom of 196 bitcoins (roughly 7.9 million dollars).

REvil is unconfirmed

There’s no proof of former REvil members participating in the new attacks. It’s not uncommon for new criminal groups to adopt the brands of former players. Furthermore, the security experts discovered source code that refers to other ransomware attackers. The traces of two criminal groups were found: Corp Links and TelsaCrypt. Finally, it’s possible that the leak page is used to scam organizations and cybercriminals alike.