The REvil ransomware operators once dominated the ransomware scene. During the second quarter of 2021, experts linked 73% of all ransomware attacks back to the REvil gang. Across 12 months, their brazen campaigns hit more than 300 US-based organizations, and captured more than $11 million in profit.

Per requests from the US, Russia’s Federal Security Service (FSB) arrested and brought criminal charges against suspected members of the group. Authorities pursued 14 suspects across several regions of Russia, including Moscow, St. Petersburg and Lipetsk.

Authorities’ findings

This represents the first time that Russian authorities have taken direct action against the group. More than 426 million rubles, 20 luxury cars –purchased with money obtained via ransomware attacks- and a series of high-value cryptocurrency wallets were seized during the takedown operation.

Previous actions

Last summer, the REvil gang orchestrated a damaging ransomware attack involving a company known as Kaseya, and demanded $70 million in payment. Ultimately, Kaseya did not pay the ransom. Shortly afterwards, the attackers appeared to vanish into thin air.

REvil goes dark

As the summer wore on, the REvil operatives suddenly disappeared from the ransomware scene. This may have been connected to US President Joe Biden’s communications with Russian President Vladimir Putin pertaining to the group. But it’s also possible that the hackers simply wished to take a break, or that they were carefully strategizing around future plans.

In early September, the REvil blog and associated web properties popped back up on the dark web. Payment infrastructure also reappeared online. Experts hedged that REvil may have returned, although such inferences were far from certain. International law enforcement is believed to have temporarily knocked the group offline in October.

Will REvil’s takedown matter?

While REvil might not be on the scene any longer, other ransomware operators continue to operate with impunity. For example, the LockBit ransomware operators recently directed an attack towards Accenture, demanding $50 million in exchange for not disclosing private data.

Although the REvil takedown is arguably a win, it may be more of a “symbolic target” in the fight against ransomware. Experts judge REvil’s removal as of limited impact in the context of the larger ransomware threat landscape.


Nonetheless, the takedown of REvil has been widely celebrated in the world of cyber security. “The organized criminal community [REvil] ceased to exist, the information infrastructure for criminal purposes was neutralized,” states a translated version of a recent FSB statement.

Detained members of the REvil group were charged with committing crimes under Part 2 of Article 187 “illegal circulation of means of payment” of the Criminal Code of Russia.

REvil represents one of the most prolific ransomware gangs known, and some say that this takedown sends a message to similar groups. Others remain more skeptical about the motives behind the takedown and the long-term implications. One thing is clear – destructive ransomware gangs still abound, and businesses should plan accordingly.

For more information about ransomware prevention, click here. For information about ransomware remediation, click here. Lastly, please join us for the premiere cyber security event of the year, CPX 360 2022. Register here.