REvil Ransomware Operation Returns

Evidence is mounting that the notorious REvil ransomware operation is back up and running, despite multiple arrests and loss of control of its infrastructure.

The notorious and prolific REvil ransomware gang ceased operations in October 2021, following a law enforcement operation that saw the Tor servers that hosted their payment portal hijacked, along with the data leak blog where victims were named. In January this year, the Federal Security Service (FSB) in Russia announced that the ransomware gang had been shut down and 14 suspected members of the ransomware operation were arrested. The FSB said all illegal activities of the gang had been stopped.

“The FSB of Russia has established the full composition of the REvil criminal community and the involvement of its members in the illegal circulation of means of payment, documenting illegal activities has been carried out,” explained the FBS in an announcement on its website in January.

Tensions have risen between Russia and the US in response to the invasion of Ukraine and the sanctions imposed on Russia by the United States. While there has previously been cooperation between the U.S. and Russia and some sharing of intelligence on ransomware operations that are believed to be operating out of Russia, communications between the two countries have now stopped.

In early April, Russian Security Council Deputy Secretary Oleg Khramov said, “the White House has notified us now that it unilaterally withdraws from the negotiations process and shuts down the communication channel,” Khramov also suggested it was the United States, not Russia, that was the aggressor in cyberspace.

While it has been quiet on the REvil front since the November operation and arrests in January, there are now signs that the operation is back up and running. The old REvil dark web infrastructure sprang back to life shortly after the announcement by Khramov that communications had stopped and started redirecting to new sites which listed previous REvil victims along with apparently new victims, such as Oil India.

Oil India confirmed that it has suffered a cyberattack and had been issued with a ransom demand of $7.5 million, and other victims have also been added to the leak site, including a university in the United States. The new blog includes a recruitment page seeking new affiliates and offers an 80/20 split of any ransom payments that are generated. That would suggest that the ransomware operation is back up and running and has rebranded.

Bleeping Computer has recently reported that a new version of the ransomware has been released which uses a modified encryptor, and multiple security researchers have confirmed the new encryptor has been compiled from the original source code, which means someone with access to the source code must have been involved, such as one of the core developers, although at this stage little is known about who is behind the new attacks.,

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of