Skip to main content

Businesses warned as REvil ransomware gang appears to be back online

Computer hacker wearing hooded shirt using computer at table
(Image credit: Getty Images)

Growing evidence is pointing to the re-emergence of the REvil ransomware gang, the prolific group known for its potent ransomware and cybersecurity threats (opens in new tab).

Despite having reportedly been dismantled at the beginning of the year by Russia’s internal security agency, and making arrests at operator’s homes in Ukraine, the outfit could be up and running again.

Pancak3 and Soufiane Tahiri, security researchers on Twitter, spotted movements on a new REvil leak site, which was being promoted on the RuTOR forum-cum-marketplace.

However, other commentators seem less convinced the threat is real, although the fact that a new domain has surfaced with blatant links to the group looks like being a firm indicator that REvil is back in action.

Related: The best data recovery software (opens in new tab).

Successful ransomware activity

REvil, also known as Sodinokibi or Sodin, has had a pretty successful track record when it comes to its earlier ransomware activities. It has previously targeted high-profile organisations, including nuclear weapons contractors in the U.S. and British VOIP providers on this side of the pond.

The new website features a patchy collection of new and old leaks, with links to some that are offline. However, the site also contains a recruitment area, which contains information that could be of interest for affiliates looking to join the group, including one to RuTOR, the Russian-speaking outlet.

Russia originally claimed that its security agency had shut down the REvil infrastructure following requests from the U.S. However, now that the war in Ukraine has been continuing for nearly two months, commentators are raising questions as to whether or not the gang actually has links to the Russian government.

"For many in the cyber community, the reemergence of REvil amid the Russia-Ukraine conflict - and after the alleged arrest and disbanding of the group in January - raises questions of Russian state sponsorship," Justin Fier, VP of tactical risk and response at cyber-defense firm Darktrace told The Register (opens in new tab). "Will Russia use this new iteration of REvil as a force multiplier in ongoing geopolitical tensions?"

Other reports, however, are suggesting that it could simply be a copycat organisation. Either way, business users are being warned to remain diligent and make staff aware of increased threats from Russian-linked cybercrime groups.

Find the best VPN software (opens in new tab).

Rob Clymo
Rob Clymo

Rob Clymo has been a tech journalist for more years than he can actually remember, having started out in the wacky world of print magazines before discovering the power of the internet. Since he's been all-digital he has run the Innovation channel during a few years at Microsoft as well as turning out regular news, reviews, features and other content for the likes of TechRadar, TechRadar Pro, Tom's Guide, Fit&Well, Gizmodo, Shortlist, Automotive Interiors World, Automotive Testing Technology International, Future of Transportation and Electric & Hybrid Vehicle Technology International. In the rare moments he's not working he's usually out and about on one of numerous e-bikes in his collection.