REvil Ransomware on Darknet Diaries

Community Feature - @BushidoToken

Curated Intelligence co-founder Will T recently sat down with Jack Rhysider from Darknet Diaries to discuss how the REvil ransomware group changed the game forever. Ever since the group appeared in early 2019 and disappeared after the Kaseya hack, it gained the attention of the world with daring financially motivated cyberattacks.

Will shared a blog on the Evolution of REvil in July 2021, shortly after the core REvil group exited the scene. In November 2021, several REvil affiliates were arrested across Europe in Poland and Romania. Members of REvil being subsequently arrested by the Russian FSB on 14 January 2022 and announced in a press release.

Where is REvil now?

  • Interestingly, some REvil activity continued to be reported by researchers after the arrests. ReversingLabs reported additional implants, suggesting something was still causing the ransomware to spread.
  • The REvil samples continuing to appear was seemingly due to the ransomware binary being co-opted into other campaigns, such as LV ransomware and the RansomCartel
  • Recorded Future analysts also said they believe the ALPHV (BlackCat) ransomware author was previously involved with the infamous REvil ransomware organization in some sort of capacity.

Curated Intel Community Features are sourced using our Member Content channel on Discord. If you have recently produced a noteworthy piece of writing, a project, a podcast, an infographic or other CTI content let us know!