What happened to REvil? - The infamous ransomware


The REvil ransomware group became an infamous cybersecurity threat over the last year. In 2020, their tool was classified as the most prolific ransomware-as-a-service. Since then, they have disappeared.

The Disappearance

The group that was responsible for the high-profile JBS and Kaseya ransomware attacks has reportedly gone dark. Researchers observed that the REvil's dark web advertisement pages had been shut down since last week. In addition to extortion pages and servers going offline.

It's worth noting that REvil, also known as Sodinokibi, was linked to the GandCrab malware developers in 2018. GandCrab-affiliated threat actors targeted healthcare institutions, including Doctor's Management Service, a medical billing company.

After making a stunning $2 billion in ransom payments in a one-year operational period, GandCrab would later announce that they were shutting down their hacking boots in 2019.

Investigators identified remarkable parallels between the two organizations soon. This came after the REvil ransomware appeared in a number of extortion operations. In fact, they expressed their belief that the REvil ransomware group was founded by former members of GandCrab.

REvil was a company of sorts. It marketed hacking tools and other cyber goods to third-party hackers until recently. The dark web served as a hub for posting advertisements and negotiating ransomware payments with victims.


Cybersecurity specialists are still puzzled as to what caused REvil to vanish from the internet. Various ideas have been proposed in an attempt to explain why one of the world's most dangerous ransomware organizations decided to shut down.

On one hand, considering that the group has never taken every element of its operation down since its inception in 2019 the prospect of a permanent existence is difficult to dismiss.

REvil's decision, according to some cyber specialists, may have been chosen in reaction to US President Biden's threat of a more robust attack on cybercriminal operations.

According to allegations in the media, US Vice President Joe Biden has urged Russian President Vladimir Putin to commit to fighting global cybercriminal organisations operating within Russian borders.

For a long time, the Putin administration has been accused of being tolerant toward Russian-based threat actors. This is as long as they do not target domestic companies and institutions. In reality, several studies have shown that the Russian government was some of the most heinous cyberattacks against US governmental institutions in recent years.

REvil is one of the cybercriminal groups that has benefited from Russian leniency; the ransomware organization has coordinated many large assaults against high-tier enterprises connected to vital US infrastructure.

Despite this, cybersecurity experts believe the ransomware group's action is a tactical move to rethink its operational approach. The possibility is based on previous events in which cybercriminal groups have suspended their operations in the wake of significant media and law enforcement attention. The groups would later reappear after a rebranding process that would help with avoiding detection.

REvil ransomware, according to analysts, is a commodity that might be rented out to other threat actors. This implies that, despite their absence from the dark web, REvil's might should not be underestimated, according to Egnyte's cybersecurity specialist Neil Jones.

The "cybersecurity evangelist" advised companies against letting their defenses down in an interview with CPO Magazine. Failure to maintain strong cybersecurity barriers might expose organizations to a likely and fast ransomware resurgence.


Although it may be too early to determine the exact reasons surrounding REvil's outage. Public and private sector players must work together to secure business environments in a timely manner. Relevant authorities should invest in additional cybersecurity solutions.




Aug. 27, 2021

Anonymous is my hero without a doubt