13 September 2021

REvil ransomware gang resumes operations


REvil ransomware gang resumes operations

After a few months of silence, the notorious ransomware operation known as Revil or Sodinokibi has returned to life and is once again attacking new victims.

The first signs of the group’s activity were spotted last week, when the servers of the REvil ransomware gang came back online after nearly two months of shutdown following a large-scale ransomware attack against the US-based software company Kaseya that impacted 60 MSPs and over 1,500 businesses in July. The hackers exploited a zero-day vulnerability (CVE-2021-30116) in the Kaseya VSA remote management platform to deploy ransomware to hundreds of IT management companies running Kaseya’s software.

The REvil ransomware gang then demanded $50 million for a universal decryptor for all Kaseya victims, however, the company later announced that it received the decryptor from a “trusted third party”.

The ransomware attack caught the attention of the media and the law enforcement authorities that increased pressure on the group. On July 13, REvil shut down their infrastructure and went silent.

However, on September 7, the REvil’s dark web leak site, also known as the Happy Blog, as well as the group’s Tor payment/negotiation portal came back online. Two days later, on September 9, a new REvil malware sample was uploaded to VirusTotal.

According to a new group’s representative who goes online as ‘REvil’, the gang temporarily shut down its operations after the previous REvil’s representative known as ‘Unknown’ disappeared prompting concerns that he was arrested and servers were compromised.


Back to the list

Latest Posts

Windows MSHTML bug used in ransomware attacks, Microsoft says

Windows MSHTML bug used in ransomware attacks, Microsoft says

According to the Windows maker, in the wild exploitation of CVE-2021-40444 began on August 18.
17 September 2021
State-backed hackers actively exploiting recently disclosed Zoho RCE bug

State-backed hackers actively exploiting recently disclosed Zoho RCE bug

The targeted entities include academic institutions, defense contractors, as well as critical infrastructure entities.
17 September 2021
Free REvil/Sodinokibi ransomware universal decryptor released

Free REvil/Sodinokibi ransomware universal decryptor released

The tool works for all REvil victims whose files were encrypted in attacks prior to July 13, 2021.
17 September 2021
Featured vulnerabilities
Multiple vulnerabilities in cflinuxfs3
Medium Patched | 17 Sep, 2021
Information disclosure in cflinuxfs3
Medium Patched | 17 Sep, 2021
Information disclosure in Git
Medium Patched | 17 Sep, 2021
Multiple vulnerabilities in GLPI
Medium Patched | 17 Sep, 2021
Multiple vulnerabilities in cflinuxfs3
Medium Patched | 17 Sep, 2021