After the arrest of the members of the group, there are warnings that the ransomware gang REvil is attacking again

Notorious ransomware group REvil she has reappeared, according to several security researchers following her attacks.

The group suspended its operations for the second time in October after claiming in a message posted on a hacker forum that they had lost control of their TOR domains. It later turned out that the police of several countries were responsible for that.

In January, Russia’s Federal Security Service conducted 25 searches of houses owned by 14 people suspected of being part of the REvil team across Moscow, St. Petersburg, Leningrad and Lipetsk. A Moscow court later indicted eight people who were allegedly gang members.

But three weeks ago, researchers discovered that REvil ransomware servers were working again. The group’s blog has also been restored.

Chris Shadow, a senior analyst for cyber threats from Digital Shadows, linked the group’s return to current relations between Russia and the United States, as communication channels established to address cyber security issues after Russia’s invasion of Ukraine were disrupted.

“The potential return of REvil coincides with the closure of a dialogue channel to discuss cybersecurity issues between the United States and Russia. As a result, it is realistically possible that the Russian authorities withdrew from the investigation into the group or otherwise indicated to REvil operators that they could restart their operations, after the arrest of several members in January 2022, “Morgan told The Record. He says it’s “unclear who exactly is coordinating the return of REvil” – maybe it’s a former member of REvil or someone who had access to the source code and infrastructure the group used before. Morgan added that an analysis of the source code used by REvil in recent attacks showed that changes had taken place. The sample that Morgan analyzed does not encrypt the files, which could be explained either as an operational error or that someone is trying to take advantage of the group’s reputation.

The Secureworks Counter Threat Unit has published a detailed analysis of the new REvil sample. According to that analysis, the person behind the return of the group had access to the original source code and parts of the old infrastructure, and is actively developing ransomware. According to the Secureworks Counter Threat Unit, it is possible that not all members of the group were arrested and launched a new operation, or that some branch of the group took over the operation with the blessing of the group.

Source: by

*The article has been translated based on the content of by If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!