The REvil ransomware gang – also known as Sodinokibi – has fully returned following a period in the darkness since July this year.
According to Bleeping Computer, the group has returned as is once again attacking new victims and publishing stolen files on a data leak site. The gang has been conducting attacks on organisations globally since 2019, where it has been demanding million-dollar ransoms.
Prior to the group going offline, it had conducted an attack on IT service provider Kaseya in a hack that had got into over 1,500 businesses – an attack seen as one of the biggest cyberattacks in history.
However, the group went on to shut down its infrastructure following the Kaseya attack, and had been offline since July 13th 2021. REvil had demanded $50m for a universal decryptor for all Kaseya victims, $5m for an MSP decryption and a $44,999 ransom for individual file encryption extensions at affected firms.
The shutdown was attributed to the fact that the attack had considerable consequences worldwide and brought the full attention of global law enforcement to bear on REvil. The shutdown left many victims in limbo, with no way to decrypt their files.
The group, however, came back online on September 7, with its Tor payment/negotiation and data leak sites turned back on and made accessible.
It was also reported by Bleeping Computer that a new public representative from REvil has emerged. Previously, a threat actor known as ‘Unknown’ commonly posted on hacking forums to recruit new members or post updates on the group’s operations. However, since the return, a new representative named ‘REvil’ has taken on this role.
Copyright © 2021 RegTech Analyst
Copyright © 2018 RegTech Analyst