{
	"id": "39a28eff-fc58-4862-8351-a7d0f962a86d",
	"created_at": "2026-04-06T00:12:46.655263Z",
	"updated_at": "2026-04-10T13:12:52.211871Z",
	"deleted_at": null,
	"sha1_hash": "265bb9f27cb9c92a68d0ef81deee158e45c1334c",
	"title": "REvil ransomware's servers mysteriously come back online",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1167127,
	"plain_text": "REvil ransomware's servers mysteriously come back online\r\nBy Lawrence Abrams\r\nPublished: 2021-09-07 · Archived: 2026-04-05 22:32:31 UTC\r\nThe dark web servers for the REvil ransomware operation have suddenly turned back on after an almost two-month absence.\r\nIt is unclear if this marks their ransomware gang's return or the servers being turned on by law enforcement.\r\nOn July 2nd, the REvil ransomware gang, aka Sodinokibi, used a zero-day vulnerability in the Kaseya VSA remote\r\nmanagement software to encrypt approximately 60 managed service providers (MSPs) and over 1,500 of their business\r\ncustomers.\r\nREvil then demanded $5 million from MSPs for a decryptor or $44,999 for each encrypted extension at the individual\r\nbusinesses.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomwares-servers-mysteriously-come-back-online/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomwares-servers-mysteriously-come-back-online/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThe gang also demanded $70 million for a master decryption key to decrypt all Kaseya victims but soon dropped the price to\r\n$50 million.\r\nAfter the attack, the ransomware gang faced increasing pressure from law enforcement and the White House, who warned\r\nthat the USA would take action themselves if Russia did not act upon threat actors in their borders.\r\nSoon after, the REvil ransomware gang disappeared, and all of their Tor servers and infrastructure were shut down.\r\nTo this day, it is not clear what happened, but it left ransomware victims who wished to negotiate unable to do so and\r\nwithout the ability to restore files.\r\nMysteriously, Kaseya later received the master decryption key for the attack victims and stated it was from a trusted third\r\nparty. It is believed that Russian intelligence received the decryption key from the threat actors and passed it along to the\r\nFBI as a gesture of goodwill.\r\nREvil infrastructure suddenly turns back on\r\nToday, both the Tor payment/negotiation site and REvil's Tor 'Happy Blog' data leak site suddenly came back online.\r\nThe most current victim on the REvil data leak site was added on July 8th, 2021, just five days before REvil's mysterious\r\ndisappearance.\r\nREvil's Happy Blog data leak site\r\nUnlike the data leak site, which is functional, the Tor negotiation site does not appear to be fully operational yet. While it\r\nshows the login screen, as seen below, it does not allow victims to log into the site.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomwares-servers-mysteriously-come-back-online/\r\nPage 3 of 5\n\nREvil Tor negotiation site\r\nThe gang's http://decoder.re/ is still offline at this time.\r\nIt is unclear at this time whether the ransomware gang is back in operation, the servers have been turned back on by mistake,\r\nor it is due to the actions of law enforcement.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomwares-servers-mysteriously-come-back-online/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/revil-ransomwares-servers-mysteriously-come-back-online/\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomwares-servers-mysteriously-come-back-online/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/revil-ransomwares-servers-mysteriously-come-back-online/"
	],
	"report_names": [
		"revil-ransomwares-servers-mysteriously-come-back-online"
	],
	"threat_actors": [],
	"ts_created_at": 1775434366,
	"ts_updated_at": 1775826772,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/265bb9f27cb9c92a68d0ef81deee158e45c1334c.pdf",
		"text": "https://archive.orkl.eu/265bb9f27cb9c92a68d0ef81deee158e45c1334c.txt",
		"img": "https://archive.orkl.eu/265bb9f27cb9c92a68d0ef81deee158e45c1334c.jpg"
	}
}