{
	"id": "7383a054-db91-44c3-af79-ac340e3800db",
	"created_at": "2026-04-06T00:13:10.045574Z",
	"updated_at": "2026-04-10T13:11:40.501132Z",
	"deleted_at": null,
	"sha1_hash": "42488823696e8d17f482f894a5e0dddafb887aa9",
	"title": "REvil Disappears Again: 'Something Is Rotten in the State of Ransomware'",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 32672,
	"plain_text": "REvil Disappears Again: 'Something Is Rotten in the State of\r\nRansomware'\r\nBy Flashpoint\r\nPublished: 2021-10-18 · Archived: 2026-04-05 19:16:15 UTC\r\nFlashpoint analysts are tracking the evolving situation around the re-disappearance of REvil, a prolific RaaS\r\ngroup. As of October 17, 2021, the REvil leaks blog, known as the Happy Blog, is offline and inaccessible. \r\nAdditionally, on October 17, a REvil operator announced that the ransomware group was shutting down on the\r\nhigh-tier Russian language forum XSS after their domain had been “hijacked.” The threat actor explained that an\r\nunidentified person had used the private Tor keys of the group’s former spokesperson, “Unknown,” to access the\r\nREvil domain.\r\nAfter the ransomware group shut down in July 2021, REvil operators believed Unknown had disappeared.\r\nHowever, between noon and 5pm Moscow time, the REvil operation stated that the REvil domain was accessed\r\nusing Unknown’s keys, confirming their concerns that a third-party has backups with their service keys. The REvil\r\noperator added that the REvil server was compromised and the hijacker deleted “0-neday’s” access to their hidden\r\nadmin server. 0_neday believes the hijacker was looking for them. 0_neday signed off XSS and wished the\r\nparticipants “good luck” \r\nFlashpoint analysts note that this was an unexpected turn in REvil’s attempt to reconstitute their operations, as the\r\ngroup had just begun recruiting new affiliates on the RAMP forum, and offering unusually high commissions of\r\n90 percent to attract affiliates. Flashpoint analysts are tracking the situation and will provide updates as they arise.\r\nUsers on XSS were generally incredulous at this new announcement. The spokesperson of the LockBit\r\nransomware gang claimed this new disappearance is proof that the REvil re-emergence in September was part of\r\nan elaborate FBI plot to catch REvil affiliates. Several threat actors agreed with the Lockbit representative and\r\nadded that they believed that REvil will re-emerge again under a totally new name, leaving behind recent scandals\r\nwithout having to pay out old affiliates. Another threat actor added, paraphrasing Shakespeare, “Something is\r\nrotten in the state of ransomware.” \r\nOn October 18, at 10AM EST, the XSS moderators closed the thread where REvil made the announcement and\r\nadvised fellow users to block REvil accounts.\r\nSource: https://www.flashpoint-intel.com/blog/revil-disappears-again/\r\nhttps://www.flashpoint-intel.com/blog/revil-disappears-again/\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.flashpoint-intel.com/blog/revil-disappears-again/"
	],
	"report_names": [
		"revil-disappears-again"
	],
	"threat_actors": [],
	"ts_created_at": 1775434390,
	"ts_updated_at": 1775826700,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/42488823696e8d17f482f894a5e0dddafb887aa9.pdf",
		"text": "https://archive.orkl.eu/42488823696e8d17f482f894a5e0dddafb887aa9.txt",
		"img": "https://archive.orkl.eu/42488823696e8d17f482f894a5e0dddafb887aa9.jpg"
	}
}