Today for the latest in my ransomware series I thought it would be fun to take a look at a more interesting ransomware group with some history.  REvil ransomware is an interesting one, since they were actually tracked down, members caught, and “disbanded”.  Let’s take a closer look and some of the events during the rise and fall of REvil.

REvil Ransomware History

REvil appears on the radar in 2020 and quickly became one of the most notorious ransomware groups around.  One thing I always found interesting about REvil is that they used the Ranosmware as a Service – RaaS model, making it easy for their software to be deployed into an environment an attacker could gain access too.

While they did lots of things like extort a law firm with famous clients like Lady Gaga, what they became the most notorious for was the Kaseya attack of July 2021. Kaseya is a managed service provider, and it what was pretty much an unprecedented event, every one of their clients using their remote management software was a potential victim.  Here’s a great document from CISA with more details.

If you are new to the world of ransomware, the Kaseya attack is something people still talk about, even a year later.

It is no surprise though after an attack of that magnitude, REvil was on the radar of law enforcement.

The “Fall” of REvil?

Because of this level of attack, as well as others that made the news – like the one on U.S. based food supplier, governments started paying attention.

Later in July, REvil disappeared for the first time, after U.S. President Joe Biden called for Putin to shut things down.  This was the first disappearance and people thought REvil may have been done at that point.  Later in August, the FBI seized 2.3 Million dollars in Bitcoin from a REvil wallet.

That really didn’t deter the group much, because soon REvil was back in September.  Some were surprised they returned, others like myself?  Not so much.

In September 2021, Bitdefender released a decryptor for REvil ransomware.  You would think once again, we would see the end of this group, but not so much.

In October, things really started to heat up.  REvil was once against forced offline by multiple governments working together.  The best part?  Compromised backups led to their ultimate demise.

Things accelerated from here, with indictments for multiple members of the group by multiple governments.  Things got quiet for a while, and many though they had seen the last of REvil.

In June of 2022, a new sample of REvil was found proving things were not as they seemed, there were still changes happening to the code, although we have not seem any new attacks lately.

While we haven’t heard much out of REvil, we have heard quite a bit out of many other ransomware groups.  We’ve also seen many groups rebranding, and groups and code that seem “influenced” by others in this area.

REvil defiantly could claim they had some of the most notable and popular ransomware attacks of 2021.  These attacks made major news headlines, and impacted many, many organizations.

If you’re fascinated by REvil, don’t forget to take a look at some of our other write-ups on notable ransomware strains:

A Closer Look at BlackCat Ransomware

Maui Ransomware

Ransomware In the News: Hello XD

A Closer Look at Conti Ransomware