Close this search box.

REvil Ransomware Returns, Already Exposing Data


The REvil ransomware group has fully resurfaced, is attacking new victims and posting stolen files on a data breach site.

Since 2019, the REvil ransomware operation, nicknamed Sodinokibi, has been conducting attacks on companies all around the world, demanding million-dollar ransoms in exchange for a decryption key and the prevention of stolen files from being leaked.

During its tenure, the gang has carried out numerous attacks on well-known companies such as JBS, Coop, Travelex, GSMLaw, Kenneth Cole, Grupo Fleury, and others.

“Unfortunately, the Happy Blog is back online,” Emsisoft threat researcher Brett Callow tweeted.

REvil’s Disappearance

After their biggest attack, REvil shut down their infrastructure and completely disappeared. The Kaseya VSA remote management platform was the target of a major attack on July 2nd that affected 60 managed service providers and over 1,500 enterprises using a zero-day vulnerability.

On July 13th, 2021, the REvil gang abruptly ceased operations, leaving many victims in the dark with no method to decrypt their information.

Researchers and law enforcement suspected that REvil would rebrand as a new ransomware organisation at some point after their shutdown.


REvil’s Return

Nevertheless, the REvil ransomware group returned this week under the same name, much to our surprise.

Tor’s payment/negotiation and data leak sites reactivated and became available on September 7, over two months after they went down. It was possible to engage with the ransomware group again a day later.

All prior victim’s timers were reset and their ransom demands had remained the same when the ransomware gang ceased down in July.

According to ‘REvil’, a new spokesman of the ransomware operation, the group temporarily shut down after believing Unknown (REvil’s previous spokesman) had been arrested and systems compromised on September 9th.

REvil post to Russian-speaking hacking forum. Source: Advanced Intel

This translation of these posts can be read below:

“As Unknown (aka 8800) disappeared, we (the coders) backed up and turned off all the servers. Thought that he was arrested. We tried to search, but to no avail. We waited – he did not show up and we restored everything from backups.

After UNKWN disappeared, the hoster informed us that the Clearnet servers were compromised and they deleted them at once. We shut down the main server with the keys right afterward. 

Kaseya decryptor, which was allegedly leaked by the law enforcement, in fact, was leaked by one of our operators during the generation of the decryptor.”

 – REvil

While we may never know the true reason for the disappearance or how Kaseya gained the decryption key, the most important is to know is that REvil is back to targeting corporations all over the world.

REvil’s skilled affiliates and ability to perform sophisticated attacks could result in devastating business outcomes. It’s recommended that all network admins and security professions become familiar with expert cybersecurity tactics and techniques, especially if employees are working remotely.

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian Enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.


Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235


Learn more about the team at the forefront of the Australian Cyber Security scene.

About Us →

Meet the Team →

Partnerships →

Learn more about the team at the forefront of the Australian Cyber Security scene.

Career Opportunities →

Internships →

Media appearances and contributions by Gridware and our staff.

See More →



Whether you need us to take care of security for you, respond to incidents, or provide consulting advice, we help you stay protected.

View all services →

Web App Pen. Test Calculator →

Network Pen. Test Calculator →

Governance & Audit

Legal and regulatory protection

Penetration Testing

Uncover system vulnerabilities

Remote Working & Phishing

Fortify your defenses

Cyber Security Strategy

Adaptation to evolving threats

Cloud & Infrastructure

Secure cloud computing solutions

Gridware 360

End-to-end security suite

Gridware Managed Services

Comprehensive & proactive security

Gridware CloudControl

Harness the benefits of cloud technology

Gridware Incident Response 24/7

Swift, expert-led incident resolution



A collection of our published insights, whitepapers, customer success stories and more.

Customer success stories from real Gridware customers. Find out how we have helped others stay on top of their Cyber Security.

Read More →