The infamous criminal ransomware group behind the JBS SA cyberattack has returned to the dark web after vanishing this summer.

“REvil”, short for “Ransomware-Evil”, is among the most prolific cyber gangs to hold data for ransom. The group operates from Russia, according to cybersecurity firms and the US government, and is accused of leading a flurry of attacks this year against companies and organisations, including JBS. The giant Brazilian meat supplier eventually paid an US$11mil ransom.

REvil runs a website called the “Happy Blog”, where it publicly shames victims by publishing samples of data stolen before locking them out of their own networks. The attackers then try to persuade targets to pay for a digital key to restore network access.

A portal REvil uses to negotiate with victims also came back online on Sept 7, according to Adam Meyers, vice president of intelligence at cybersecurity firm CrowdStrike, although the cybergang hasn’t posted any new victims.

Meyers says it appears the site was restored by the same actors running the portal before it went offline in June without explanation.

“I would think this was a cool-off period,” he said. “There was a lot of heat back in June/July. Maybe they rebuilt some infrastructure and invested in better operational security.”

Earlier this year, REvil took credit for hacking the Taiwanese hardware supplier Quanta Computer Inc and in the process published secret blueprints for new Apple Inc devices. Last year, REvil executed a ransomware attack against a law firm it claimed once represented some of Donald Trump’s television enterprises.

Ransomware gangs prompted the Biden administration to take action this year after they attacked critical infrastructure, including health care providers, manufacturers and gas pipeline operators. Since then, the administration has launched a series of task forces aimed at rooting out the scourge, a crackdown that coincided with many cyber gangs going offline.

“Typically groups take some summer hiatus so we usually see some slowdown,” said Jake Williams, the chief technology officer at BreachQuest. “This year has been no different, with a serious summer lull in financially motivated ransomware activity. I haven’t seen a significant uptick yet, but we’re now entering the window when these attackers come back from holiday and get back to work.”

 - Bloomberg