Andy Li
Andy Li C B Sjn Lu Zaws Unsplash

They're Back!

Sept. 9, 2021
Signs point to ransomware-as-a-service outfit REvil taking the unprecedented step of returning to the fold.

When ransomware groups like DarkSide and REvil disappeared weeks back, it was essentially following a routine pattern. Appearing, making a splash with a series of attacks (both publicized and kept under wraps) and then disappearing and presumably disbanding. 

However, what is happening now is unprecedented. As the Happy Blog is reactivated, signs are pointing to the ransomware gang REvil resurfacing.

“Typically, when ransomware groups and their associated leak websites go offline, they either shut down their operations on their own accord (and provide decryption keys) or they’ve been shut down by law enforcement agencies,” Tenable researcher Satnam Narang tells IndustryWeek. “With all of the attention they received following the Kaseya attack, REvil’s exit was abrupt. It led to tons of speculation as to what had happened, and whether or not they would rebrand and return under a new ransomware moniker. REvil’s return is therefore unprecedented.”

Of course, REvil itself is quite likely a reincarnation of a previous group, explains Steve Moore, chief security strategist, Exabeam. “After all, adversaries' talent and confidence is stronger after prior successes,” he says. 

Moore encourages organizations to think about the resurfacing two-fold: 

“First, they undoubtedly have their next software supply chain compromised. The technique began in espionage and has now been borrowed for criminal activity; this campaign hasn't started yet – but will very soon,” he says. “On the other hand, defenders should focus more on the missed intrusion and poor recovery options and less on ransomware. Ransomware is the product of being unable to detect and disrupt the cycle of compromise – period.”

At this point, it is unclear what REvil’s future holds, explains Narang. “Whether this is indeed the beginning of a full-fledged return remains to be seen,” says Narang. “It may very well be that REvil is gearing up for the next phase of attacks. Even with other competitors in this space, REvil is one of the premiere ransomware-as-a-service operations and they will likely return to prominence in due time.”

Adds Moore, “Directly, REvil took time to refit, retool, and take a bit of a holiday over the summer. The fact their sites are back online means they are, again, ready for business and have targets in mind.”

Popular Sponsored Recommendations

How to Build Zero-Cost On-Site Solar and Storage Projects

Nov. 25, 2023
The Inflation Reduction Act offers tax credits, incentives, and financing that enable no-cost projects. In Enel’s eBook, discover the critical role that incentives play in your...

Are You Positioned To Tackle Supply Chain Risk?

Sept. 20, 2023
Supply chain disruption is here to stay, but you can keep ahead of potential issues — and identify new opportunities — by regularly assessing your suppliers. Download our supplier...

Decarbonization Navigator: A Toolkit for Organizations

Sept. 28, 2023
The increasing urgency of addressing climate change along with stakeholder pressures are driving the need for organizations to prioritize decarbonization. Discover how to start...

Modern Edge Computing Accelerates Smart Manufacturing Initiatives for Discrete Manufacturers

Oct. 22, 2023
Discover how Edge Computing platforms are a requisite for discrete manufacturers to solve production challenges, accelerate digitalization, and establish a reliable infrastructure...

Voice your opinion!

To join the conversation, and become an exclusive member of IndustryWeek, create an account today!