After a few months of silence, the notorious ransomware operation known as Revil or Sodinokibi has returned to life and is once again attacking new victims.

The first signs of the group’s activity were spotted last week, when the servers of the REvil ransomware gang came back online after nearly two months of shutdown following a large-scale ransomware attack against the US-based software company Kaseya that impacted 60 MSPs and over 1,500 businesses in July. The hackers exploited a zero-day vulnerability (CVE-2021-30116) in the Kaseya VSA remote management platform to deploy ransomware to hundreds of IT management companies running Kaseya’s software.

The REvil ransomware gang then demanded $50 million for a universal decryptor for all Kaseya victims, however, the company later announced that it received the decryptor from a “trusted third party”.

The ransomware attack caught the attention of the media and the law enforcement authorities that increased pressure on the group. On July 13, REvil shut down their infrastructure and went silent.

However, on September 7, the REvil’s dark web leak site, also known as the Happy Blog, as well as the group’s Tor payment/negotiation portal came back online. Two days later, on September 9, a new REvil malware sample was uploaded to VirusTotal.

According to a new group’s representative who goes online as ‘REvil’, the gang temporarily shut down its operations after the previous REvil’s representative known as ‘Unknown’ disappeared prompting concerns that he was arrested and servers were compromised.