Reading Time: 2 minutes

Dark web portals once administered by the REvil ransomware gang have come back online today, sparking concerns that the celebrated ransomware gang will soon recommence its attacks.

During the July 4th US holiday, the group took its web infrastructure down after a mass ransomware attack against Kaseya servers. These were the same incidents that gathered the attention of the White House officials.

However, both the US and Russian authorities have denied any involvement in the mysterious disappearance of this Russian-speaking ransomware gang.

At that time, it looks as if the group had been disbanded and planned to execute a new ransomware attack on various US law enforcement investigators and security firms.

Soon after an increase in the rise of ransomware attacks across the US, Joe Biden (US President) took initiative and hosted a cybersecurity meeting with various tech giant CEOs. The purpose of this meeting was to discuss how companies are ensuring cybersecurity after recent waves of ransomware attacks and security breaches.

As per social media tweets by various security researchers, multiple websites, including Happy Blog, directly connected to REvil, had resurfaced.

According to a tweet by the editor-in-chief of bleeping computer, the newest entry was from a victim attacked on July 8.


According to ransomware expert Allan Liska,  the return of REvil was inevitable, but this time with a different name and a new ransomware variant.

Things definitely got hot for them for a while, so they needed to let law enforcement cool down. The problem (for them) is, if this is really the same group, using the same infrastructure they didn’t really buy themselves any distance from law enforcement or researchers, which is going to put them right back in the crosshairs of literally every law enforcement group in the world (except Russia’s). I’ll also add that I’ve checked all of the usual code repositories, like VirusTotal and Malware Bazaar, and I have not seen any new samples posted yet. So, if they have launched any new ransomware attacks there haven’t been many of them.

As the Emisoft threat analyst, Brett Callow said that REvil attacked at least 360 US-based organizations this year.

Several REvil’s victims found themselves in a tough spot, even after the group got shut down in July. For example, Mike Hamilton, former CISO of Seattle and now CISO of ransomware remediation firm Critical Insight, said that one company paid a ransom after the Kaseya attack and received the decryption keys from REvil but found that they didn’t work.

Some of our customers got off really easily. If you had that agent installed on unimportant computers, you just rebuilt them and got back to life. But we got a distress call a few days ago from a company that got hit hard because they had a company managing a lot of their servers with the Kaseya VSA. They got a lot of their servers hit and had a lot of information on them, and so they brought in their insurance company and decided to pay the ransom”.

According to a report published by the security company BlackFog, out of all of the ransomware attacks in August, REvil accounted for more than 23% of the attacks they tracked last month. That was more than any other group tracked in the report.