Ransomware, Threat Management

REvil appears to return after 14 of its members were arrested in January

The REvil ransomware group, silent since the Russian FSB arrested 14 members and seized assets in late January, appears to have returned.

The group's old victim leaks site now forwards to a new site, featuring old and new victims.

"We obviously can't say for sure that this is [the original] REvil back," said Brett Callow, a ransomware expert with Emsisoft. "But that would be the most logical assumption."

Of particular note among the new victims is Oil India, a state-run oil interest that was hit by ransomware on April 10 by actors asking for $75 million in ransom.

The new site also features a recruitment ad for new affiliates.

REvil recruitment ad

The new advertisement touts the same proven ransomware with new improvements.

"It's very hard to say [if REvil will struggle to get its affiliates back.]. I actually thought Conti would struggle after it was doxxed," Callow said.

There was "absolutely nothing" in terms of chatter that suggested REvil was planning a return, said Callow. REvil is best known for affiliates holding JBS hostage in 2021 as well as being the ransomware used in the Kaseya supply chain incident.

Callow said he was unsure why the group changed leaking sites, though options include security concerns after the arrests and a general sprucing up of the product.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.