{
	"id": "6cd8e0f4-75fe-40b7-9301-d5837853168d",
	"created_at": "2026-04-06T00:13:01.210955Z",
	"updated_at": "2026-04-10T03:21:31.737563Z",
	"deleted_at": null,
	"sha1_hash": "071fb44f0c4883eaacb255d8b6e225dbe97d7a2e",
	"title": "REvil ransomware is back in full attack mode and leaking data",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1470518,
	"plain_text": "REvil ransomware is back in full attack mode and leaking data\r\nBy Lawrence Abrams\r\nPublished: 2021-09-11 · Archived: 2026-04-05 13:22:16 UTC\r\nThe REvil ransomware gang has fully returned and is once again attacking new victims and publishing stolen files on a data\r\nleak site.\r\nSince 2019, the REvil ransomware operation, aka Sodinokibi, has been conducting attacks on organizations worldwide\r\nwhere they demand million-dollar ransoms to receive a decryption key and prevent the leaking of stolen files.\r\nWhile in operation, the gang has been involved in numerous attacks against well-known companies,\r\nincluding JBS, Coop, Travelex, GSMLaw, Kenneth Cole, Grupo Fleury, and others.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-is-back-in-full-attack-mode-and-leaking-data/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-is-back-in-full-attack-mode-and-leaking-data/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nREvil's disappearance act\r\nREvil shut down their infrastructure and completely disappeared after their biggest caper yet - a massive attack on July\r\n2nd that encrypted 60 managed service providers and over 1,500 businesses using a zero-day vulnerability in the Kaseya\r\nVSA remote management platform.\r\nREvil then demanded $50 million for a universal decryptor for all Kaseya victims, $5 million for an MSP's decryption, and\r\na $44,999 ransom for individual file encryption extensions at affected businesses.\r\nREvil ransom demand for an encrypted MSP\r\nThis attack had such wide-ranging consequences worldwide that it brought the full attention of international law\r\nenforcement to bear on the group.\r\nLikely feeling pressure and concerns about being apprehended, the REvil gang suddenly shut down on July 13th, 2021,\r\nleaving many victims in a lurch with no way of decrypting their files.\r\nThe last we had heard of REvil, was that Kaseya received a universal decryptor that victims could use to decrypt files for\r\nfree. It is unclear how Kaseya received the decryptor but stated it came from a \"trusted third party.\"\r\nREvil returns with new attacks\r\nAfter their shutdown, researchers and law enforcement believed that REvil would rebrand as a new ransomware operation at\r\nsome point.\r\nHowever, much to our surprise, the REvil ransomware gang came back to life this week under the same name.\r\nOn September 7th, almost two months after their disappearance, the Tor payment/negotiation and data leak sites suddenly\r\nturned back on and became accessible. A day later, it was once again possible to log in to the Tor payment site and negotiate\r\nwith the ransomware gang.\r\nAll prior victims had their timers reset, and it appeared that their ransom demands were left as they were when the\r\nransomware gang shut down in July.\r\nHowever, there was no proof of new attacks until September 9th, when someone uploaded a new REvil ransomware sample\r\ncompiled on September 4th to VirusTotal.\r\nToday, we have seen further proof of their renewed attacks as the ransomware gang has published screenshots of stolen data\r\nfor a new victim on their data leak site.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-is-back-in-full-attack-mode-and-leaking-data/\r\nPage 3 of 6\n\nIf you have first-hand information about REvil's return, you can confidentially contact us on Signal at +16469613731, Wire\r\nat @lawrenceabrams-bc, or Jabber at lawrence.abrams@anonym.im.\r\nNew REvil representative emerges\r\nIn the past, REvil's public representative was a threat actor known as 'Unknown' or 'UNKN,' who frequently posted at\r\nhacking forums to recruit new affiliates or post news about the ransomware operation.\r\nForum post by REvil's UNKN\r\nOn September 9th, after the return of the ransomware operation, a new representative simply named 'REvil' had begun\r\nposting at hacking forums claiming that the gang briefly shut down after they though Unknown was arrested and servers\r\nwere compromised.\r\nREvil post to Russian-speaking hacking forum\r\nSource: Advanced Intel\r\nThis translation of these posts can be read below:\r\n\"As Unknown (aka 8800) disappeared, we (the coders) backed up and turned off all the servers. Thought that he\r\nwas arrested. We tried to search, but to no avail. We waited - he did not show up and we restored everything from\r\nbackups.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-is-back-in-full-attack-mode-and-leaking-data/\r\nPage 4 of 6\n\nAfter UNKWN disappeared, the hoster informed us that the Clearnet servers were compromised and they deleted\r\nthem at once. We shut down the main server with the keys right afterward. \r\nKaseya decryptor, which was allegedly leaked by the law enforcement, in fact, was leaked by one of our operators\r\nduring the generation of the decryptor.\" - REvil\r\nBased on these claims, Kaseya's universal decryptor was obtained by law enforcement after they gained access to some of\r\nREvil's servers.\r\nHowever, BleepingComputer has been told by numerous sources that REvil's disappearance surprised law enforcement as\r\nmuch as everyone else.\r\nA chat between what is believed to be a security researcher and REvil, paints a different story, with an REvil operator\r\nclaiming they simply took a break.\r\nChat between a researcher and REvil about their disappearance\r\nWhile we may never know the real reason for the disappearance or how Kaseya obtained the decryption key, what is most\r\nimportant is to know that REvil is back to targeting corporations worldwide.\r\nWith their skilled affiliates and ability to perform sophisticated attacks, all network admins and security professionals must\r\nbecome familiar with their tactics and techniques.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-is-back-in-full-attack-mode-and-leaking-data/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/revil-ransomware-is-back-in-full-attack-mode-and-leaking-data/\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-is-back-in-full-attack-mode-and-leaking-data/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/revil-ransomware-is-back-in-full-attack-mode-and-leaking-data/"
	],
	"report_names": [
		"revil-ransomware-is-back-in-full-attack-mode-and-leaking-data"
	],
	"threat_actors": [],
	"ts_created_at": 1775434381,
	"ts_updated_at": 1775791291,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/071fb44f0c4883eaacb255d8b6e225dbe97d7a2e.pdf",
		"text": "https://archive.orkl.eu/071fb44f0c4883eaacb255d8b6e225dbe97d7a2e.txt",
		"img": "https://archive.orkl.eu/071fb44f0c4883eaacb255d8b6e225dbe97d7a2e.jpg"
	}
}