REvil ransomware gang resurfaces after brief disappearance

A 2D mockup image of a business paying a cyber criminal for a ransom
(Image credit: Shutterstock)

The REvil ransomware gang, which has presided over some of the most devastating cyber attacks in recent memory, has resurfaced after traces of the group were wiped from the internet earlier this year.

Only days after spearheading a large-scale attack against Kaseya in July, the cyber crime group disappeared without any clues as to how or why. According to security researchers, REvil’s servers and payment sites were down, while its public spokesperson, who goes by ‘Unknown’ was unresponsive.

Elements of the group’s infrastructure have been turned online once again, now, just shy of two months later, according to Bloomberg. Researchers with CrowdStrike and others, for example, have spotted that the group’s website called the ‘Happy Blog’ has returned, as well as its portal REvil operators use to negotiate with victims.

Kaseya was the last high-profile entity that REvil had targeted before what has emerged to be a brief hiatus. The group had initially demanded a $70 million ransom for the attack, alongside smaller sums from companies affected further down the supply chain. In total, up to 1,500 organisers were affected as the vulnerable Kaseya VSA platform is used by MSPs.

Although REvil had vanished only days later, Kaseya mysteriously obtained the master decryptor from an unnamed ‘third party’ a couple of weeks later. This allowed the business, as well as the other organisations affected, to dissociate itself from the ransomware attack and fully restore services.

So far this year the group has previously targeted various organisations including Acer, the Harris Federation of London-based schools, and the Taiwanese firm Quanta Computer, one of the biggest hardware firms in the world.


Defeating ransomware with unified security from WatchGuard

How SMBs can defend against the onslaught of ransomware attacks


When REvil vanished without explanation, speculation was rife as to why, with theories ranging from an internal fallout to enforcement action, to a brief break, or holiday.

Eset’s cyber security specialist Jake Moore told IT Pro at the time that the shutdown might possibly be enforcement action, although warned that if it was, this didn’t mean the individuals behind the scenes would be deterred from resurfacing.

“Cyber security specialist with Eset, Jake Moore, has suggested the shutdown could be the result of enforcement action, with the increasing scale and breadth of new and improving police tactics starting to take effect.

“With recent state of the art techniques used to target displacing the money in other operations, it is clear that the police are beginning to turn the tide and fight back on digital crime,” he said.

“Although the detail in such law enforcement tactics still remains unknown to the public, it highlights the police are continuing to grow in their operations and fight from different angles. However, this setback for REvil will unlikely deter them completely, if anything, it may spur them on more.”

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.