{
	"id": "c33aef6a-dac7-4ec0-9f5d-89327ad20884",
	"created_at": "2026-04-06T00:10:57.391222Z",
	"updated_at": "2026-04-10T03:21:06.019728Z",
	"deleted_at": null,
	"sha1_hash": "00e00e66620385380d5106208a6b10659990c51b",
	"title": "REvil's Cybercrime Reputation in Tatters - Will It Reboot?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 151512,
	"plain_text": "REvil's Cybercrime Reputation in Tatters - Will It Reboot?\r\nBy Mathew J. Schwartz\r\nArchived: 2026-04-05 20:09:11 UTC\r\n3rd Party Risk Management , Business Continuity Management / Disaster Recovery , Critical Infrastructure\r\nSecurity\r\nRebranding Remains Easy for Ransomware Groups, While Affiliates Already Come and Go (euroinfosec) •\r\nOctober 27, 2021    \r\nREvil's data-leak site (pictured) and payment portal disappeared after its July attack against Kaseya,\r\nonly to reappear without explanation in September, before being hijacked earlier this month\r\nWill the notorious ransomware operation known as REvil, aka Sodinokibi, reboot once again after someone\r\napparently messed with its infrastructure?\r\nSee Also: How AI Expands Risk Across Enterprise\r\nREvil first appeared in April 2019 as a spinoff of GandCrab ransomware and quickly established itself as one of\r\nthe dominant ransomware-as-a-service operations. The operation developed the ransomware and later added a\r\ndedicated data leak site to name and shame victims and publish stolen data. It recruited business partners - or\r\naffiliates - to take the malware and use it to infect victims, in exchange for partners being promised a 70% cut of\r\nevery resulting ransom payment.\r\nOver the summer, however, rival DarkSide's hit on Colonial Pipeline, plus REvil's hits on meat processing giant\r\nJBS and managed service provider software developer Kaseya - among many others - led the White House to\r\nhttps://www.bankinfosecurity.com/revils-cybercrime-reputation-in-tatters-will-reboot-a-17802\r\nPage 1 of 4\n\nmove to better crack down on ransomware. Reportedly, a consortium of Western law enforcement agencies has\r\nbeen more actively disrupting ransomware operators' infrastructure, including that of REvil.\r\nAfter going dark in July, REvil's Tor-based sites reappeared without explanation in September, listing fresh\r\nvictims. Shortly thereafter, researchers at New York-based threat intelligence firm Advanced Intelligence, aka\r\nAdvIntel, reported that the Exploit cybercrime forum had published a report from its own malware reverse-engineering specialists, finding that all REvil samples up to July included a backdoor seemingly designed to let\r\nadministrators decrypt files for a victim without affiliates knowing, so administrators could keep 100% of a\r\nransom payment.\r\nTor-Based Sites Hijacked\r\nRecently, REvil's sites again went offline, after one of its administrators, 0_neday, committed a basic operational\r\nsecurity error and attempted to restore the existing sites from backups, rather than launch new ones. After\r\nreporting that the sites had been hijacked, 0_neday announced that the server would be taken offline, warning that\r\nsomeone had apparently been \"looking for\" him.\r\nReuters reported that the disruption was tied to a multigovernmental effort, although it published no evidence to\r\nback that up. But multiple ransomware operations believe that Western law enforcement or intelligence agencies\r\nhave stepped up their disruption efforts.\r\nOne outstanding question now: Will REvil return, or has the brand been burned? Notably, core administrator\r\nUNKN - aka Unknown - hasn't been seen or heard from since July, leading some members of REvil to say they\r\nsuspect he might be dead.\r\n\"REvil as a brand is likely gone for good as affiliates and other threat actors would probably not want to\r\ncollaborate with an operation that was reportedly compromised by law enforcement,\" says Brett Callow, a threat\r\nanalyst at security firm Emsisoft. \"Whether the individuals behind REvil are also gone for good is an entirely\r\ndifferent matter. Unfortunately, it's not at all unlikely that they'll make a comeback under a new name.\"\r\nIndeed, cybercrime operations that catch unwanted heat sometimes just rebrand, as DarkSide did by becoming\r\nBlackMatter.\r\nREvil's Reputation Fades\r\nREvil has faced increasingly hostile questioning on cybercrime forums since its reappearance in September, says\r\nVictoria Kivilevich, director of threat research at Israeli threat intelligence firm Kela. That has included\r\n\"speculations about UNKN's fate, public clashes of the new representative with other threat actors, including\r\nLockBit's administrator, the announcement of recruiting affiliates on RAMP, and publication of six new victims on\r\nREvil's blog,\" she says.\r\n\"The most common reaction between threat actors was the prejudice against working with REvil again since they\r\ndid not provide sufficient explanations about the Kaseya attack, the group's disappearance and reemergence, and -\r\nprobably the most serious claim - the reason behind using the same infrastructure that could be compromised,\" she\r\nsays. \"Combined with news about a secret backdoor enabling REvil's creators to scam its affiliates, such\r\ndiscussions significantly disrupted REvil's reputation.\"\r\nhttps://www.bankinfosecurity.com/revils-cybercrime-reputation-in-tatters-will-reboot-a-17802\r\nPage 2 of 4\n\nLeadership in Turmoil\r\nThe original configuration of REvil appeared to be five or six administrators, each with different roles - two\r\nfocused on affiliates, two more on the back end, says John Fokker, the principal engineer and head of cyber\r\ninvestigations for Advanced Threat Research at McAfee Enterprise.\r\nHe notes that Unknown's disappearance - whereabouts still unknown - might explain why 0_neday was behind the\r\nattempt to restore REvil's Tor-based data leak site and payment portal. But 0_neday made a rookie mistake by\r\nfailing to launch the site with a new private key, leading to a new .onion address that he could have announced via\r\nPastebin or another free text-sharing site.\r\nChatter on the XSS cybercrime forum about 0_neday's botched attempt to restore REvil's Tor sites (Source: John\r\nFokker, McAfee; click to enlarge)\r\nREvil doesn't appear to be operating at full strength. Even so, key to disrupting the likes of REvil will be not just\r\narresting administrators but also the affiliates that take the crypto-locking malware and use it to infect victims,\r\nFokker says.\r\nAccording to cybercrime intelligence firm Intel 471, affiliates regularly work with multiple ransomware\r\noperations, sometimes at the same time, meaning the most experienced ones wouldn't hesitate to work with the\r\nlikes of Conti or LockBit 2.0 - if they aren't already - if they believe REvil to be burned.\r\nAs that highlights, REvil is of course only one operation, and numbers suggest its disappearance isn't having a big\r\nimpact.\r\nNot all ransomware operations run data leak sites or blogs, which makes it difficult to count the total number of\r\nransomware victims. But of the groups that do, including REvil, Kela reports that they collectively listed 205\r\nvictims in June. In August, after REvil's disappearance, such sites listed 248 new victims, growing to 251 in\r\nSeptember.\r\n\"One can see that the ransomware groups' activities are steadily growing,\" Kela's Kivilevich says. \"The\r\ndisappearance of one group does not significantly influence the overall ransomware threat, as also could be seen\r\nfrom the shutting down of DarkSide, Avaddon and other groups active this year.\"\r\nArresting Affiliates Remains Challenging\r\nNo doubt law enforcement is seeking to unmask and arrest REvil's administrators, if they haven't already started to\r\ndo so. But Fokker of McAfee Enterprise says police need to better identify and arrest affiliates, since they're so\r\nintegral to the ransomware business model and are not beholden to REvil or any other group.\r\n\"If the ransomware name goes away, you still have these people doing 99% of the whole intrusion,\" Fokker says.\r\n\"They're skilled, and they'll move to something else. Heck, they can use BitLocker, from Microsoft, to lock\r\nhttps://www.bankinfosecurity.com/revils-cybercrime-reputation-in-tatters-will-reboot-a-17802\r\nPage 3 of 4\n\nsomebody's computer, and they can still earn money.\"\r\nEven as groups come and go, the opportunity for easy, safe profits continues to attract new players as well.\r\n\"The fact that they can make so much money and have such a small chance of being caught - they're not going to\r\nstop,\" Fokker says. \"It's real simple: The money is too addictive. They're not going to stop.\"\r\nSource: https://www.bankinfosecurity.com/revils-cybercrime-reputation-in-tatters-will-reboot-a-17802\r\nhttps://www.bankinfosecurity.com/revils-cybercrime-reputation-in-tatters-will-reboot-a-17802\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bankinfosecurity.com/revils-cybercrime-reputation-in-tatters-will-reboot-a-17802"
	],
	"report_names": [
		"revils-cybercrime-reputation-in-tatters-will-reboot-a-17802"
	],
	"threat_actors": [],
	"ts_created_at": 1775434257,
	"ts_updated_at": 1775791266,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/00e00e66620385380d5106208a6b10659990c51b.pdf",
		"text": "https://archive.orkl.eu/00e00e66620385380d5106208a6b10659990c51b.txt",
		"img": "https://archive.orkl.eu/00e00e66620385380d5106208a6b10659990c51b.jpg"
	}
}