REvil Ransomware Group Resurfaces Over Labor Day Weekend

REvil, the ransomware group behind the JBS meat supplier and massive July 4th Kaseya attacks, reportedly resurfaced over the U.S. Labor Day weekend.

Shortly after what is still considered the largest ransomware attack in history, the Russia-based REvil ransomware gang seemingly disappeared into thin air with media outlets reporting their infrastructure and websites going offline on July 12. These sites included the group’s negotiation and payment site, public forum and contact chat (if this sounds like a business website, it’s because it is in many aspects despite the illegal nature of the operations).

Many experts cited the fact all of their sites being shut down simultaneously was unusual and speculated the gang may have erased their servers due to a supposed government subpoena. Additionally, their XXS administrator banned a user known as “Unknown” from their hacking forum – a user which was believed to have been their public-facing representative of the gang. While there was a brief sigh of relief when their servers disappeared, this ended the ability for those negotiating for their data to contact the group.

Following the abrupt disappearance of their digital footprint, experts who were curious when the gang would resurface did not have to wait long as associated dark web servers for their websites resurfacing over the U.S. Labor Day weekend, including the Happy Blog. This site is where REvil publishes samples of stolen data before locking victims out of the networks and starting the ransomware negotiations. Another portal REvil uses to negotiate payment was also reactivated, although no new activity has been reported.

So why has REvil seemingly reappeared and what’s next?

First, there were very few who thought the gang had disbanded permanently. With a string of high profile victims including U.S. meat supplier JBS, Apple manufacturer Quanta and the now infamous July 4th Kaseya ransomware attack, REvil was one of the top targets of the Biden Administration, who promised to shut down their servers if the Russian government would not act. There was never an official statement from either side, but many speculated that either the White House had delivered on their promise or REvil went into hiding with all of the heat on them.

Another possible explanation is that they were simply on vacation No, really. Like those of us in the workforce, ransomware groups are known to slow down during the summer months and focus on “getting back to work” in the fall and holiday season. Alternatively, there are some that think the sites being reactivated are actually being controlled by law enforcement or the reactivation is simply an accident – this are best case scenario in many views for obvious reasons.

If the servers being activated again are not law enforcement or accidental, the re-emergence of their online presence is plenty cause for alarm based on their track record and a developing story to monitor moving forward.

Related Articles

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit or contact the team at [email protected].

In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2021 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
President Biden Signs K-12 Cybersecurity Act into Law
What Are the Top Cybersecurity Questions of 2021?
Cybersecurity Awareness Month 2021
Biden Administration Announces First Ever Sanctions Against Cryptocurrency Exchange
Apple Releases Emergency Security Update to Address Critical Spyware Vulnerability
REvil Ransomware Group Resurfaces Over Labor Day Weekend
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.