REvil infrastructure back online

Within the past few days, a new variant of the REvil Ransomware appeared on the VirusTotal platform.

The threat group had ceased all operations (and extortion blogs) following the large-scale attack against American firm Kaseya, which cascaded to compromise thousands of enterprises across multiple countries globally. The ransomware demanded the company 50 million dollars for a universal decryptor. For nearly two months the group remained offline, but on 7 September the REvil leak site returned online with the same victim roster, and on 9 September a new REvil ransomware variant was uploaded to VirusTotal, compiled on 4 September.

The gang, which had disappeared months prior, resumed activity with new intrusion campaigns; this week it published its “first” victim following the operational pause.

According to a new spokesperson identified as REvil, the group temporarily halted operations due to suspicion that Unknown (the alleged REvil administrator) had been arrested and that servers had been compromised. The spokesperson also claimed that the universal decryptor obtained from Kaseya was simply “leaked” due to an error during key generation, rather than as a result of law enforcement action, as previously believed. Our Cyber Threat Intelligence tracking confirms the timeline and operational resumption pattern consistent with infrastructure reconstitution following suspected law enforcement disruption.