REvil Revival: Are Ransomware Gangs Ever Really Gone?

The infamous ransomware group appears to be back from the dead -- maybe -- and using the old brand, but experts question whether a reconstituted gang will have much success.

Robert Lemos, Dark Reading

May 4, 2022

2 Min Read
REvil Revival: Are Ransomware Gangs Ever Really Gone?
Getty Images

Evidence that members of the defunct REvil group may be reviving the ransomware gang continues to accumulate, but cybersecurity experts question whether the group will have the same impact that it once did.

On April 29, anti-malware firm Avast revealed that the company's software had blocked a ransomware sample that appeared to be generated using information that only previous members of the REvil group could have accessed. The discovery of the file came more than a week after cybersecurity firm Emsisoft revealed that the Web address of REvil's leak site now points to a new host, using both the REvil name and claiming to have compromised a US university and an oil company in India.

These two breadcrumbs suggest that someone (or someones) has access to the REvil group's source code and infrastructure and may be restarting the operation, says Brett Callow, threat analyst at Emsisoft. They don't, however, prove it's the old crew getting back together.

"These facts do not necessarily prove ... that the old REvil gang is back," he says. "Instead, they simply indicate that one or more people who were previously connected with the operation have decided to pick up the reins."

Either way, the apparent resurrection of the group highlights the difficulty that cybersecurity professionals, law enforcement, and prosecutors have in disrupting successful cybercriminal groups. 

Related:How to Spot the Warning Signs of Ransomware Attacks

Following the critical attacks on meat processor JBS and IT management firm Kaseya in 2021, REvil shut down for a few months but reappeared in September. Then in January, Russian officials reportedly arrested 14 members of the group and raided more than two dozen locations, raising hopes that the takedown would last.

Instead, the group seems to have fragmented, with members working with other ransomware operations. Now some members may be making a half-hearted attempt to resurrect the REvil brand, but the tepid revival raises the question of what constitutes a group, as a couple of satellite members working together to re-create the ransomware gang's operation would not seem to pose an equal threat, Callow says.

Continue Reading on Dark Reading

Read more about:

Dark Reading

About the Authors

Robert Lemos

Robert Lemos

Dark Reading, Contributing writer

Robert Lemos is a veteran technology journalist and a former research engineer. He's written for more than two dozen publications, including CNET, Dark Reading, MIT's Technology Review, Popular Science and Wired News. He has won five awards for journalism and crunches numbers on various trends using Python and R. 

See more from Robert Lemos
Dark Reading

Dark Reading

Long one of the most widely read cyber security news sites on the Web, Dark Reading, a sister site to ITPro Today, is now the most trusted online community for security professionals like you. Dark Reading's community members include thought-leading security researchers, CISOs, and technology specialists, along with thousands of other security professionals.

See more from Dark Reading
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

You May Also Like

Editor's Choice

drawings of people with different colored brains
IT Management
Embracing Neurodiversity in IT Workplace to Bridge Talent GapsEmbracing Neurodiversity in IT Workplace to Bridge Talent Gaps
byNathan Eddy
Sep 2, 2024
6 Min Read
circuit board inside a cloud
Cloud Computing
Microclouds: The Next Big Thing in Cloud Computing or Just Another Edge Strategy?Microclouds: The Next Big Thing in Cloud Computing or Just Another Edge Strategy?
byChristopher Tozzi
Sep 5, 2024
4 Min Read
a laptop infected with a virus and above it the words linux ransomware
Linux OS
Linux Ransomware Threats: How Attackers Target Linux SystemsLinux Ransomware Threats: How Attackers Target Linux Systems
byGrant Knoetze
Sep 4, 2024
8 Min Read
Exclusive ITPro Resources
See all ITPro Resources

Featured How Tos

A cartoon of a person sitting at a computer, with speech bubbles—one from the person saying Hello and one from the computer responding with Hello
PowerShell
PowerShell Speech Recognition: How To Set up Voice Commands and ResponsesPowerShell Speech Recognition: Set up Voice Commands and Responses
Migrating From VMware Guide cover
VMWare
Migrating From VMware: Guide to a Successful TransitionMigrating From VMware: Guide to a Successful Transition
a wall and fire with the words linux uncomplicated firewall (ufw) tutorial, configure and manage
Linux OS
Linux UFW (Uncomplicated Firewall) Configuration Made EasyLinux UFW (Uncomplicated Firewall) Configuration Made Easy
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up
Trending

Recent What Is

a laptop infected with a virus and above it the words linux ransomware
Linux OS
Linux Ransomware Threats: How Attackers Target Linux SystemsLinux Ransomware Threats: How Attackers Target Linux Systems
data privacy quiz sample question above a desk
Data Privacy
Data Privacy Quiz: 20 Questions To Test Your KnowledgeData Privacy Quiz: 20 Questions To Test Your Knowledge