13 September 2021

REvil ransomware gang resumes operations


REvil ransomware gang resumes operations

After a few months of silence, the notorious ransomware operation known as Revil or Sodinokibi has returned to life and is once again attacking new victims.

The first signs of the group’s activity were spotted last week, when the servers of the REvil ransomware gang came back online after nearly two months of shutdown following a large-scale ransomware attack against the US-based software company Kaseya that impacted 60 MSPs and over 1,500 businesses in July. The hackers exploited a zero-day vulnerability (CVE-2021-30116) in the Kaseya VSA remote management platform to deploy ransomware to hundreds of IT management companies running Kaseya’s software.

The REvil ransomware gang then demanded $50 million for a universal decryptor for all Kaseya victims, however, the company later announced that it received the decryptor from a “trusted third party”.

The ransomware attack caught the attention of the media and the law enforcement authorities that increased pressure on the group. On July 13, REvil shut down their infrastructure and went silent.

However, on September 7, the REvil’s dark web leak site, also known as the Happy Blog, as well as the group’s Tor payment/negotiation portal came back online. Two days later, on September 9, a new REvil malware sample was uploaded to VirusTotal.

According to a new group’s representative who goes online as ‘REvil’, the gang temporarily shut down its operations after the previous REvil’s representative known as ‘Unknown’ disappeared prompting concerns that he was arrested and servers were compromised.


Back to the list

Latest Posts

Hackers steal over $120 million in crypto from DeFi project BadgerDAO

Hackers steal over $120 million in crypto from DeFi project BadgerDAO

The attackers stole more than 2,100 Bitcoin and 151 Ether from Badger user accounts.
3 December 2021
Hackers actively exploiting critical Zoho ManageEngine ServiceDesk Plus flaw to drop web shells

Hackers actively exploiting critical Zoho ManageEngine ServiceDesk Plus flaw to drop web shells

According to the FBI and CISA, threat actors have been exploiting the bug since late October 2021.
3 December 2021
Former Ubiquiti dev tried to extort his employer posing as a hacker

Former Ubiquiti dev tried to extort his employer posing as a hacker

Nickolas Sharp allegedly stole gigabytes of confidential data from the company and used it to demand nearly $2 million in ransom.
3 December 2021