In July, the REvil ransomware group disappeared from the internet. Experts suggest that this may have been connected to US President Joe Biden’s communications with Russian President Vladimir Putin, which called for an end to rogue ransomware gangs. Questions about whether or not REvil had been permanently expunged from the internet persisted, and some security analysts expected to see the group resurface.

The hackers appear to have returned from their hiatus. On Tuesday, security researchers reported that REvil’s dark web Happy Blog and other related REvil websites had popped up on the dark web. Major security firms confirmed that much of REvil’s infrastructure, including payment systems, had also reappeared.

The REvil group may have vanished in order to buy itself distance from law enforcement. Alternatively, law enforcement may have found and disbanded the group. Some speculators suggest that the hackers may have interrupted their own operations due to internal disputes.

CISOs’ experiences: REvil

A duplicitous decryption key scheme? Mike Hamilton, former CISO of Seattle, states that one company paid a ransom to REvil, but that the decryption keys provided did not work properly. Although ransomware gangs like REvil manage a customer support desk, REvil “went dark” after this group’s decryption keys failed. As a result, the affected organization was forced to heavily invest in ransomware remediation efforts. Ultimately, the firm lost financial resources two fronts; ransomware decryption key payment and network rebuilds.

Has REvil really returned?

Independent cyber security experts contend that REvil may not have returned after all. Law enforcement agencies may be tinkering with REvil’s tools. Nonetheless, other experts believe that REvil may be gearing up for new ransomware attacks; perhaps the group took time to retrofit and retool. Some experts suggest that the group could emerge with a new ransomware variant in the near future.

REvil’s deployments

Within the last year, The REvil group distributed ransomware across 360 US-based organizations. The group has brought in more than $11 million.

  • In May of this year, a REvil ransomware attack on JBS foods resulted in food supply chain challenges for nearly five days in the US and abroad.
  • In April, REvil launched a cyber attack on Apple, just ahead of the firm’s upcoming product launch. REvil requested $50 million in payment. As described in a past Cyber Talk article, the original attack hit Quanta, a manufacturer of Apple products.
  • In June, a REvil attack affected a US nuclear weapons subcontractor.
  • In July, the Kaseya incident directly affected 1,500 organizations worldwide, freezing their files and inhibiting business productivity.

What does REvil’s return mean for your business?

Historically, REvil targeted high-profile enterprise and organizations. The group claims responsibility for hundreds of cyber attacks. Regardless of your industry, your business should take steps to avoid ransomware threats. Block ransomware with the latest anti-virus software, scan your network on a regular basis, help your employees avoid phishing threats, and ensure that data backups remain on-hand.

Discover additional ransomware threat prevention insights here. Want more of this type of content? Stay up-to-date when it comes to ransomware threats with Cyber Talk’s weekly newsletters.