Dismantling a Prolific Cybercriminal Empire: REvil Arrests and Reemergence

John Fokker writes:

We’ve recently seen reports that the REvil ransomware gang is back online after the January 2022 arrests of several its members by Russian authorities claiming to dismantle the group and the November 2021 arrests of two members by U.S. authorities. While it remains to be seen if this re-emergence of REvil includes its most aggressive members with the same technical skills or is merely a copycat group lifting off the old name and parts of the infrastructure, we have seen a steady stream of new REvil binaries in the wild. Currently our main hypothesis is that one or several individuals have gained control over the old REvil Happy Blog and some binary source code. It is important to note that REvil was already a re-branding of GandCrab to gain influence and attention, therefore it is remarkable that the name REvil, given its infamy, is being used again/still. This gives us reason to believe the original key members of REvil group are most likely not involved.

However, reemergence or not, it has our interest.

Read their very interesting report on Trellix.com.

h/t, @BrettCallow

About the author: Dissent

Comments are closed.