The notorious ransomware gang "REvil" (aka Sodinokibi) has vanished from the Internet without any explanation. The disappearance of REvil occurred around the same time that its representatives were banned from Russian-speaking cybercriminal forums and a group of REvil’s, “Prometheus”, removed all mentions of REvil from its site. The disappearance also came shortly after REvil took responsibility for a large-scale supply-chain attack via the software supplier Kaseya, which allegedly resulted in one million systems being encrypted. It is likely that this attack may have resulted in pressure from law enforcement and possibly arrests of affiliates. It is also possible that REvil may have received a substantial profit from recent campaigns and deliberately shut down operations. Whatever the reason for the group’s disappearance, this event is likely to impact the ransomware threat landscape. REvil was one of the first groups to utilize “double extortion” techniques and set the path many other ransomware groups followed.
Most Recent Flipbooks
Weekly Intelligence Summary 27th August
The well-established “Mozi” peer-to-peer (P2P) botnet has developed new persistence capabilities.
Weekly Intelligence Summary 20th August
A configurable, malicious Traffic Direction System (TDS) has been enabling widespread malware attacks.
Weekly Intelligence Summary 13th August
A years-long reconnaissance campaign against an employee of a US aerospace defense company was discovered and attributed to “TA456”, an Iranian state-backed advanced persistent threat (APT) group.
Weekly Intelligence Summary 6th August
The new “BlackMatter”, “Haron”, and “El_Cometa” ransomware groups, which surfaced in the past three weeks, bear significant similarities to ransomware groups that disappeared last month
Weekly Intelligence Summary 9th July
A vulnerability in Kaseya’s virtual system/server administrator (VSA) software has been exploited to deliver the “REvil” ransomware to multiple managed service providers.