Renowned for its malicious assaults on well-known enterprises, the infamous REvil ransomware gang is now back at full capacity and is once more attacking a fresh crop of victims before publishing their stolen data files on its dedicated leak site.

Operating since back in 2019, the operation known as REvil ransomware (and sometimes referred to as Sodinokibi) has been carrying out devastating attacks on organisations around the world that typically see it demanding millions of dollars in ransom payments in return for a decryption key, threatening to publish stolen confidential online if no payment is made.

While active, the REvil gang has been behind numerous attacks launched at big name companies, like Travelex, JBS, Kenneth Cole Coop, GSMLaw and Grupo Fleury.

The July vanishing act

This summer the REvil group shut down its infrastructure entirely and disappeared after its largest attack to date. On July 2, it unleashed a widescale attack that encrypted around 60 different managed service providers and more than 1,500 businesses by making use of a zero-day vulnerability within the remote management platform known as Kaseya VSA.

REvil then insisted that a payment of $50m (£36.25m) was issued to it in order for all Kaseya targets to receive a universal decryption device, $5m (£3.625m) for a managed service provider’s decryption, and a $44,999 (£32,616) payment for individual encrypted file extensions suffered by impacted businesses.

This massive attack had a wide-ranging effect around the world, which led to international law enforcement agencies bringing their full focus to bear on the REvil gang.

Perhaps in response to this increased attention, and fear of being caught, on July 13 the REvil group suddenly closed down its operation and vanished. This left numerous victims stranded with no solution for decrypting their locked files.

The return of REvil

After shutting down, law enforcement departments and cybersecurity researchers both believed it was likely that the REvil gang would rebrand its operation and become active again under another name. However, the REvil ransomware group has astonished industry professional by returning using its original moniker.

Close to two months after its vanishing act on September 7, the Tor negotiation, payment, and leak sites suddenly returned to active service and became accessible. On September 9, a new ransomware sample was added to the site by REvil, marking the gang’s return.

Now new proof has surfaced that REvil is back in the ransomware business as if it had never left. The evidence can be clearly seen on the gang’s leak site, which has screenshots of exfiltrated data belonging to a new victim posted on it.

Additionally, while REvil’s previous representative known as UNKN (unknown) disappeared from hacker forums in July, September has seen a newly named agent named simply “REvil” making posts, stating that the gang only shut down briefly when it believed its servers had been compromised by law enforcement agencies and that UNKN had been arrested by international authorities.

This shows that major cybercrime operators never truly go away and remain a serious threat. To ensure your company is protected, contact our team at Galaxkey today and sample a free 14-day trial.