REvil ransomware gang resumes operations

REvil ransomware gang resumes operations

After a few months of silence, the notorious ransomware operation known as Revil or Sodinokibi has returned to life and is once again attacking new victims.

The first signs of the group’s activity were spotted last week, when the servers of the REvil ransomware gang came back online after nearly two months of shutdown following a large-scale ransomware attack against the US-based software company Kaseya that impacted 60 MSPs and over 1,500 businesses in July. The hackers exploited a zero-day vulnerability (CVE-2021-30116) in the Kaseya VSA remote management platform to deploy ransomware to hundreds of IT management companies running Kaseya’s software.

The REvil ransomware gang then demanded $50 million for a universal decryptor for all Kaseya victims, however, the company later announced that it received the decryptor from a “trusted third party”.

The ransomware attack caught the attention of the media and the law enforcement authorities that increased pressure on the group. On July 13, REvil shut down their infrastructure and went silent.

However, on September 7, the REvil’s dark web leak site, also known as the Happy Blog, as well as the group’s Tor payment/negotiation portal came back online. Two days later, on September 9, a new REvil malware sample was uploaded to VirusTotal.

According to a new group’s representative who goes online as ‘REvil’, the gang temporarily shut down its operations after the previous REvil’s representative known as ‘Unknown’ disappeared prompting concerns that he was arrested and servers were compromised.


Back to the list

Latest Posts

Cyber Security Week in Review: July 4, 2025

Cyber Security Week in Review: July 4, 2025

In brief: Google patches Chrome 0Day, the US is on the hunt for North Korean IT workers, and more.
4 July 2025
AI chatbots fall for phishing scams

AI chatbots fall for phishing scams

The models provided the correct URL only 66% of the time; nearly 30% of responses pointed users to dead or suspended domains.
3 July 2025
Chinese hackers exploited Ivanti flaws in attacks against French government

Chinese hackers exploited Ivanti flaws in attacks against French government

ANSSI believes that the Houken campaign is operated by ‘UNC5174’, an entity believed to act as an initial access broker for China’s Ministry of State Security.
2 July 2025