The REvil ransomware gang, which has presided over some of the most devastating cyber attacks in recent memory, has resurfaced after traces of the group were wiped from the internet earlier this year.
Only days after spearheading a large-scale attack against Kaseya in July, the cyber crime group disappeared without any clues as to how or why. According to security researchers, REvil’s servers and payment sites were down, while its public spokesperson, who goes by ‘Unknown’ was unresponsive.
Elements of the group’s infrastructure have been turned online once again, now, just shy of two months later, according to Bloomberg. Researchers with CrowdStrike and others, for example, have spotted that the group’s website called the ‘Happy Blog’ has returned, as well as its portal REvil operators use to negotiate with victims.
Kaseya was the last high-profile entity that REvil had targeted before what has emerged to be a brief hiatus. The group had initially demanded a $70 million ransom for the attack, alongside smaller sums from companies affected further down the supply chain. In total, up to 1,500 organisers were affected as the vulnerable Kaseya VSA platform is used by MSPs.
Although REvil had vanished only days later, Kaseya mysteriously obtained the master decryptor from an unnamed ‘third party’ a couple of weeks later. This allowed the business, as well as the other organisations affected, to dissociate itself from the ransomware attack and fully restore services.
So far this year the group has previously targeted various organisations including Acer, the Harris Federation of London-based schools, and the Taiwanese firm Quanta Computer, one of the biggest hardware firms in the world.
RELATED RESOURCE
Defeating ransomware with unified security from WatchGuard
How SMBs can defend against the onslaught of ransomware attacks
When REvil vanished without explanation, speculation was rife as to why, with theories ranging from an internal fallout to enforcement action, to a brief break, or holiday.
Eset’s cyber security specialist Jake Moore told IT Pro at the time that the shutdown might possibly be enforcement action, although warned that if it was, this didn’t mean the individuals behind the scenes would be deterred from resurfacing.
“Cyber security specialist with Eset, Jake Moore, has suggested the shutdown could be the result of enforcement action, with the increasing scale and breadth of new and improving police tactics starting to take effect.
“With recent state of the art techniques used to target displacing the money in other operations, it is clear that the police are beginning to turn the tide and fight back on digital crime,” he said.
“Although the detail in such law enforcement tactics still remains unknown to the public, it highlights the police are continuing to grow in their operations and fight from different angles. However, this setback for REvil will unlikely deter them completely, if anything, it may spur them on more.”
-
M&S suspends online sales as 'cyber incident' continuesNews Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
-
Manners cost nothing, unless you’re using ChatGPTOpinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reportedNews Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
-
Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the lastNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Healthcare systems are rife with exploits — and ransomware gangs have noticedNews Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
Alleged LockBit developer extradited to the USNews A Russian-Israeli man has been extradited to the US amid accusations of being a key LockBit ransomware developer.
-
February was the worst month on record for ransomware attacks – and one threat group had a field day
News February 2025 was the worst month on record for the number of ransomware attacks, according to new research from Bitdefender.
-
CISA issues warning over Medusa ransomware after 300 victims from critical sectors impactedNews The Medusa ransomware as a Service operation compromised twice as many organizations at the start of 2025 compared to 2024
-
Warning issued over prolific 'Ghost' ransomware groupNews The Ghost ransomware group is known to act fast and exploit vulnerabilities in public-facing appliances
