# REvil ransomware's servers mysteriously come back online **[bleepingcomputer.com/news/security/revil-ransomwares-servers-mysteriously-come-back-online/](https://www.bleepingcomputer.com/news/security/revil-ransomwares-servers-mysteriously-come-back-online/)** Lawrence Abrams By [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) September 7, 2021 02:19 PM 6 The dark web servers for the REvil ransomware operation have suddenly turned back on after an almost two-month absence. It is unclear if this marks their ransomware gang's return or the servers being turned on by law enforcement. On July 2nd, the REvil ransomware gang, aka Sodinokibi, used a zero-day vulnerability in the Kaseya VSA remote management software to encrypt approximately 60 managed service providers (MSPs) and over 1,500 of their business customers. REvil then demanded $5 million from MSPs for a decryptor or $44,999 for each encrypted extension at the individual businesses. [The gang also demanded $70 million for a master decryption key to decrypt all Kaseya](https://www.bleepingcomputer.com/news/security/revil-ransomware-asks-70-million-to-decrypt-all-kaseya-attack-victims/) victims but soon dropped the price to $50 million. ----- After the attack, the ransomware gang faced increasing pressure from law enforcement and the White House, who warned that the USA would take action themselves if Russia did not act upon threat actors in their borders. Soon after, the [REvil ransomware gang disappeared, and all of their Tor servers and](https://www.bleepingcomputer.com/news/security/revil-ransomware-gangs-web-sites-mysteriously-shut-down/) infrastructure were shut down. To this day, it is not clear what happened, but it left ransomware victims who wished to negotiate unable to do so and without the ability to restore files. Mysteriously, [Kaseya later received the master decryption key for the attack victims and](https://www.bleepingcomputer.com/news/security/kaseya-obtains-universal-decryptor-for-revil-ransomware-victims/) stated it was from a trusted third party. It is believed that Russian intelligence received the decryption key from the threat actors and passed it along to the FBI as a gesture of goodwill. ## REvil infrastructure suddenly turns back on Today, both the Tor payment/negotiation site and REvil's Tor 'Happy Blog' data leak site suddenly came back online. The most current victim on the REvil data leak site was added on July 8th, 2021, just five days before REvil's mysterious disappearance. ----- **REvil's Happy Blog data leak site** Unlike the data leak site, which is functional, the Tor negotiation site does not appear to be fully operational yet. While it shows the login screen, as seen below, it does not allow victims to log into the site. ----- **REvil Tor negotiation site** The gang's http://decoder.re/ is still offline at this time. It is unclear at this time whether the ransomware gang is back in operation, the servers have been turned back on by mistake, or it is due to the actions of law enforcement. ### Related Articles: [The Week in Ransomware - May 6th 2022 - An evolving landscape](https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-may-6th-2022-an-evolving-landscape/) [Conti, REvil, LockBit ransomware bugs exploited to block encryption](https://www.bleepingcomputer.com/news/security/conti-revil-lockbit-ransomware-bugs-exploited-to-block-encryption/) [REvil ransomware returns: New malware sample confirms gang is back](https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/) ----- [REvil s TOR sites come alive to redirect to new ransomware operation](https://www.bleepingcomputer.com/news/security/revils-tor-sites-come-alive-to-redirect-to-new-ransomware-operation/) [Windows 11 KB5014019 breaks Trend Micro ransomware protection](https://www.bleepingcomputer.com/news/security/windows-11-kb5014019-breaks-trend-micro-ransomware-protection/) [Data Leak](https://www.bleepingcomputer.com/tag/data-leak/) [Ransomware](https://www.bleepingcomputer.com/tag/ransomware/) [REvil](https://www.bleepingcomputer.com/tag/revil/) [Tor](https://www.bleepingcomputer.com/tag/tor/) [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. [Previous Article](https://www.bleepingcomputer.com/news/security/jenkins-projects-confluence-server-hacked-to-mine-monero/) [Next Article](https://www.bleepingcomputer.com/news/security/microsoft-shares-temp-fix-for-ongoing-office-365-zero-day-attacks/) ### Comments [AlfaX - 8 months ago](https://www.bleepingcomputer.com/forums/u/1202517/alfax/) Willing to bet they just took a little vacation. Not like they can't afford to be away for a while. [CrashGear - 8 months ago](https://www.bleepingcomputer.com/forums/u/1179602/crashgear/) I knew it was a matter of time, hey for Kaseya message me.. ONLY works on Kaseya though.. ----- [rpcribari - 8 months ago](https://www.bleepingcomputer.com/forums/u/1219179/rpcribari/) Did anybody actually acquire the universal decryptor? I've got a client's drive that still needs to be decrypted. [Lawrence Abrams - 8 months ago](https://www.bleepingcomputer.com/author/lawrence-abrams/) There was no universal decryptor, other than for the kaseya attack. [rpcribari - 8 months ago](https://www.bleepingcomputer.com/forums/u/1219179/rpcribari/) I'm looking for the Kaseya attack decryptor. I can't find an actual download for it. ----- [al1963 - 8 months ago](https://www.bleepingcomputer.com/forums/u/983054/al1963/) login already working + trial decryptor function Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----