On September 9, a new version of the REvil ransomware was uploaded to VirusTotal, compiled on September 4.
The extortionist group REvil, which disappeared from sight a few months ago, has returned to activity and is attacking companies again. The first signs of the group's activity appeared last week, when the REvil portal on the darknet went back online.
REvil entered the ransomware scene in 2019 and became widely known for attacks on a number of large companies, including JBS and Kaseya, from which they demanded multimillion-dollar ransoms to recover encrypted data.
The group turned off its web infrastructure after a massive attack on the American company Kaseya, which affected thousands of enterprises in several countries around the world. The ransomware demanded $ 50 million from the company for a universal decryptor. In late July, Kaseya announced that it had received the decryption key from a "third party".
For almost two months, nothing was heard about the group, but on September 7, payment sat and the REvil leak site returned online with the same list of victims, and on September 9, a new version of the REvil ransomware was uploaded to VirusTotal, compiled on September 4.
According to a message on one of the hacker forums, the group has a new public representative instead of the administrator of REvil, who uses the pseudonym Unknown (or UNKN). According to a new spokesman known as REvil, the group has temporarily ceased operations due to suspicions that Unknown has been arrested and the servers have been compromised. He also said that the universal decryptor obtained by Kaseya simply "leaked" due to an error during key generation, and not after a law enforcement operation, as previously thought.
At this point, it is unclear exactly how REvil is doing. According to one of the operators, the group simply went "on vacation." Be that as it may, REvil has returned to activity again, which means that we need to wait for new attacks.
![b0e863584fa652d32059f.png](https://telegra.ph/file/b0e863584fa652d32059f.png)
The extortionist group REvil, which disappeared from sight a few months ago, has returned to activity and is attacking companies again. The first signs of the group's activity appeared last week, when the REvil portal on the darknet went back online.
REvil entered the ransomware scene in 2019 and became widely known for attacks on a number of large companies, including JBS and Kaseya, from which they demanded multimillion-dollar ransoms to recover encrypted data.
The group turned off its web infrastructure after a massive attack on the American company Kaseya, which affected thousands of enterprises in several countries around the world. The ransomware demanded $ 50 million from the company for a universal decryptor. In late July, Kaseya announced that it had received the decryption key from a "third party".
For almost two months, nothing was heard about the group, but on September 7, payment sat and the REvil leak site returned online with the same list of victims, and on September 9, a new version of the REvil ransomware was uploaded to VirusTotal, compiled on September 4.
According to a message on one of the hacker forums, the group has a new public representative instead of the administrator of REvil, who uses the pseudonym Unknown (or UNKN). According to a new spokesman known as REvil, the group has temporarily ceased operations due to suspicions that Unknown has been arrested and the servers have been compromised. He also said that the universal decryptor obtained by Kaseya simply "leaked" due to an error during key generation, and not after a law enforcement operation, as previously thought.
![85a725731d69092f59d18.jpg](https://telegra.ph/file/85a725731d69092f59d18.jpg)
At this point, it is unclear exactly how REvil is doing. According to one of the operators, the group simply went "on vacation." Be that as it may, REvil has returned to activity again, which means that we need to wait for new attacks.