REvil Ransomware Group is Back in Business After Two Months Break

They’re one of the most feared names in the ransomware-as-a-service business. Also known as Sodinokibi, they’ve been paralyzing systems of organizations worldwide and asking for million-dollar ransoms (usually in Bitcoins) in exchange for decryption keys.

After its big Kaseya attack, the REvil ransomware group is in the spotlight again after a small hide-n-seek game, pretending to disappear in July 2021.

New data suggests the group simply took some time off, and now they’re back to their business as usual. Ransomware schemes are one of today’s biggest cyber threats, so you should always stay on alert.

Let’s see how REvil, a Russian-based group operates, and what you can do to protect your data.

REvil’s Ransomware Group Operating Procedure

REvil started to operate in 2019, offering adaptable encryptors and decryptors, infrastructure and services for negotiation communications. The criminal group also has a leak website called “Happy Blog,” where they post victims’ stolen data if they don’t pay the ransom demand.

First, They Targeted VIPs

      • They demanded $42 million from US president Donald Trump; the threat led to nothing except a release of 169 emails which that to Donald Trump or contained the word ‘trump’.
      • They posted legal documents related to singer Lady Gaga
      • They threatened about selling information about Madonna or leaking UK celebrities’ plastic surgery photos.

Then, REvil Group Went After Big Companies

REvil gang has been involved in numerous attacks against well-known companies, including JBS, Coop, Travelex, GSMLaw, Kenneth Cole, Grupo Fleury, and others.

May 2021

REvil’s possible link with the Colonial Pipeline attack

A ransomware attack temporarily disrupted oil supplies across the US eastern seaboard and forced Colonial Pipeline to shut down operations and temporarily cut out IT systems. The investigation linked the DarkSide group as the attackers, but security researchers later discovered this group includes former members of the REvil gang. The researchers also depicted the malware contained codes REvil typically used.
June 2021

REvil’s attack on JBS, one of the world’s largest meat suppliers

The attack led to a temporary shutdown of all the company’s beef plants in the US, negatively impacted US and Australia’s meat supplies, and compromised employees’ data. JBS company eventually paid a ransom of $11 million to regain access to its systems.
July 2021

REvil’s exploit on Kaseya’s vulnerabilities

REvil’s recent attack was against IT management software vendor Kaseya that affected nearly 2,000 companies worldwide. The ransomware gang targeted an unpatched zero-day vulnerability in Kaseya’s VSA software. REvil initially requested a $70 million ransom, then lowered their demand to $ 50 million in return for the decryption key.

Kaseya’s huge impact made US president Joe Biden publicly announce that American intelligence agencies will investigate and fight back if the attack shows any Russian implication.

Rumor has it the pressure has too high for the REvil group to handle, so they soon vanished, shut down their website, leaving many victims stranded with any solution of decrypting their files.

Two months later, the group returned with their leak site accessible again, making it possible for the victims to pay up or negotiate a ransom. Victims had their timers reset, and their ransom demands have the same status from when the ransomware gang shut down in July.

Useful Tips to Stay Away From Ransomware

Ransomware is one of the biggest criminal moneymaking schemes. They go far, and beyond regular computer viruses, so you can expect to find yourself with your device locked down, unable to access your most precious files.

Here’s how you can prevent becoming a ransomware victim:

1. Use an antivirus and a firewall solution

These two are basic elements for your cyber hygiene.

A good antivirus notifies you if something is wrong before your device gets encrypted. Run malware scans regularly and delete any suspicious files.

Likewise, the right firewall solution prevents malicious activity from getting inside your system.

2. Regularly back up your files

Ransomware attacks rely on your willingness to pay to regain access to your files back. Attackers have nothing on you anymore if you keep your documents backed up in the cloud or on storage devices.

If you suspect a ransomware attack, you can just reset your device to factory settings and restore your files.

3. Don’t fall for phishing attempts

Cybercriminals try to trick you into answering an email, an unsolicited phone call, a text message, or even an instant message. Their goal is to get you to click on a link or download an installer that will infect your device with ransomware. Don’t fall for phishing scams and pay attention to all the details online.

4. Always update your software

Most ransomware victims have vulnerable, outdated apps. Reconsider before clicking ‘Maybe later’ on every update notification.

Many times, updates come with security patches. These will prevent malicious parties from exploiting potential vulnerabilities.

Additional tip-off: Keep your email address safe. Many digital attacks, including ransomware, can target your email address, so it’s always a good idea to check if your email address was subject to a data breach.

CyberGhost ID Guard constantly checks your email address against data leaks, so you know if your privacy is at risk.

Log into your CyberGhost VPN account, add your email addresses, and you get an overview of your accounts, all in one place. ID Guard has an ongoing monitoring service and will notify you if your email addresses are ever involved in a breach.


What is a ransomware attack?

Ransomware is a criminal moneymaking scheme. Its name combines ‘ransom’ and ‘malware,’ meaning it is a malicious software, claiming to decrypt files, or to provide a fix on your device if you pay a ransom.

What are the most common methods of attack for ransomware?

The most common ways ransomware infects your system are phishing emails, remote desktop control, downloads from a compromised website, and software vulnerabilities.

How can you recover ransomware files?

The fastest way to recover your files after a ransomware attack is to restore your systems from backups. Get a recent version of your data and applications that don’t contain the ransomware you are infected with. You can remove the ransomware first by resetting your systems to factory defaults.

Depending on the type of ransomware you’re infected with, security experts come up with decryption tools and make them available for you to break the ransomware encryption placed on your files and systems.

Can ransomware attackers steal data?

Yes, they can. Attackers infiltrate in your system’s device, and they can make a copy of your files, encrypt them, and delete the original ones. The copied data become files under attackers’ control.

Should you pay the ransom to get your files back?

Many organizations who were affected by ransomware choose to pay the ransom. However, security specialists suggest this is never a good option. Paying the ransomware demand makes you or a company a repeatable target. The message you send to the attackers is that they can target you again.


What are your cyber hygiene habits to steer clear of ransomware or other online threats?

Let me know in the comments section below.

Leave a comment

Write a comment

Your email address will not be published. Required fields are marked*