IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

REvil ransomware gang resurfaces after brief disappearance

Elements of the notorious ransomware group's infrastructure have come back online

The REvil ransomware gang, which has presided over some of the most devastating cyber attacks in recent memory, has resurfaced after traces of the group were wiped from the internet earlier this year.

Only days after spearheading a large-scale attack against Kaseya in July, the cyber crime group disappeared without any clues as to how or why. According to security researchers, REvil’s servers and payment sites were down, while its public spokesperson, who goes by ‘Unknown’ was unresponsive. 

Elements of the group’s infrastructure have been turned online once again, now, just shy of two months later, according to Bloomberg. Researchers with CrowdStrike and others, for example, have spotted that the group’s website called the ‘Happy Blog’ has returned, as well as its portal REvil operators use to negotiate with victims.

Kaseya was the last high-profile entity that REvil had targeted before what has emerged to be a brief hiatus. The group had initially demanded a $70 million ransom for the attack, alongside smaller sums from companies affected further down the supply chain. In total, up to 1,500 organisers were affected as the vulnerable Kaseya VSA platform is used by MSPs. 

Although REvil had vanished only days later, Kaseya mysteriously obtained the master decryptor from an unnamed ‘third party’ a couple of weeks later. This allowed the business, as well as the other organisations affected, to dissociate itself from the ransomware attack and fully restore services.

So far this year the group has previously targeted various organisations including Acer, the Harris Federation of London-based schools, and the Taiwanese firm Quanta Computer, one of the biggest hardware firms in the world.

Related Resource

Defeating ransomware with unified security from WatchGuard

How SMBs can defend against the onslaught of ransomware attacks

Whitepaper title above a red triangle with an exclamation point insideFree download

When REvil vanished without explanation, speculation was rife as to why, with theories ranging from an internal fallout to enforcement action, to a brief break, or holiday.

Eset’s cyber security specialist Jake Moore told IT Pro at the time that the shutdown might possibly be enforcement action, although warned that if it was, this didn’t mean the individuals behind the scenes would be deterred from resurfacing.

“Cyber security specialist with Eset, Jake Moore, has suggested the shutdown could be the result of enforcement action, with the increasing scale and breadth of new and improving police tactics starting to take effect.

“With recent state of the art techniques used to target displacing the money in other operations, it is clear that the police are beginning to turn the tide and fight back on digital crime,” he said.

“Although the detail in such law enforcement tactics still remains unknown to the public, it highlights the police are continuing to grow in their operations and fight from different angles. However, this setback for REvil will unlikely deter them completely, if anything, it may spur them on more.”

Featured Resources

2023 Strategic roadmap for data security platform convergence

Capitalise on your data and share it securely using consolidated platforms

Free Download

The 3D trends report

Presenting one of the most exciting frontiers in visual culture

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download

Recommended

Ransomware now strikes one in 40 organisations per week, Check Point finds
ransomware

Ransomware now strikes one in 40 organisations per week, Check Point finds

27 Jul 2022
Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT
ransomware

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022

Most Popular

Warning issued over ransomware attacks targeting VMware ESXi servers globally
cyber attacks

Warning issued over ransomware attacks targeting VMware ESXi servers globally

6 Feb 2023
ION Trading reportedly pays LockBit ransom demands
ransomware

ION Trading reportedly pays LockBit ransom demands

6 Feb 2023
Tips for Boosting your Organisation’s Security Posture with Encryption
Sponsored

Tips for Boosting your Organisation’s Security Posture with Encryption

6 Feb 2023