{
	"id": "24f1263a-eef4-4e00-9c7c-aa99abd9d197",
	"created_at": "2026-04-06T00:10:18.328429Z",
	"updated_at": "2026-04-10T13:12:51.170209Z",
	"deleted_at": null,
	"sha1_hash": "dff5bcc625d95071e0ddcb3ce1f95aa6e0408369",
	"title": "REvil ransomware group returns following Kaseya attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 65728,
	"plain_text": "REvil ransomware group returns following Kaseya attack\r\nBy Catalin Cimpanu\r\nPublished: 2023-01-18 · Archived: 2026-04-05 19:24:26 UTC\r\nDark web portals previously operated by the REvil ransomware gang have come back to life earlier today,\r\nsparking fears that the once-vaunted ransomware gang will soon resume its attacks.\r\nThe website, called the Happy Blog, was one of the many servers that REvil members shut down on July 13,\r\nearlier this year.\r\nThe group took down its web infrastructure following a mass ransomware attack against Kaseya servers during\r\nthe July 4th US holiday that hit thousands of businesses, an incident that drew veiled threats and the attention of\r\nWhite House officials.\r\nAt the time, many suggested the group had disbanded and was preparing to launch a new rebranded ransomware\r\noperation in an attempt to throw off US law enforcement investigators and security firms.\r\nBut earlier today, almost two months since the shutdowns, the group's Happy Blog, a website where REvil\r\noperators typically listed victims who refused to negotiate or pay ransoms, is back online on the dark web,\r\naccording to security researchers from Recorded Future and Emsisoft.\r\nAt the time of writing, the website is still listing the same victims it listed at the time of its shutdown on July 13.\r\nIn addition, REvil's \"payment portal,\" where victims are told to go and negotiate with the REvil gang, has also\r\nbeen restored at the same old dark web .onion URL.\r\nhttps://therecord.media/revil-ransomware-group-returns-following-kaseya-attack/\r\nPage 1 of 2\n\nAt the time of writing, no new REvil samples have been spotted by security researchers, and it remains unclear if\r\nREvil operators have also launched new attacks.\r\nSource: https://therecord.media/revil-ransomware-group-returns-following-kaseya-attack/\r\nhttps://therecord.media/revil-ransomware-group-returns-following-kaseya-attack/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://therecord.media/revil-ransomware-group-returns-following-kaseya-attack/"
	],
	"report_names": [
		"revil-ransomware-group-returns-following-kaseya-attack"
	],
	"threat_actors": [],
	"ts_created_at": 1775434218,
	"ts_updated_at": 1775826771,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dff5bcc625d95071e0ddcb3ce1f95aa6e0408369.pdf",
		"text": "https://archive.orkl.eu/dff5bcc625d95071e0ddcb3ce1f95aa6e0408369.txt",
		"img": "https://archive.orkl.eu/dff5bcc625d95071e0ddcb3ce1f95aa6e0408369.jpg"
	}
}