Russian IT Experts: Revival Of REvil Ransomware Group Possible

A Russian cybersecurity professional and hacker interviewed by Current Time contend that the July 13 disappearance of the ransomware group REvil does not mean that the Russian-language hackers’ operations are over.

On July 13, as of 8 a.m., Moscow time, the group’s Happy Blog site, where it published victims’ data with ransom demands, vanished from the darknet, and its technical support account was banned on hackers’ forums.

REvil’s disappearance from these locations occurred nearly four days after a July 9 phone call between U.S. President Joe Biden and Russian President Vladimir Putin in which Biden had urged the Russian leader “to take action to disrupt ransomware groups operating in Russia.”

Your browser doesn’t support HTML5

How Ransomware Hackers Operate


In June 2021, the FBI blamed REvil, also known as Sodinokibi, for a cyberattack against the world’s largest meat producer, the Brazilian company JBS. The attack caused JBS to shut down work in its factories in the U.S., Canada, and Australia. As a result, the company paid an $11 million ransom to the involved hackers.

In April, REvil claimed responsibility for breaking into Quanta, a Taiwanese company that produces Macbooks for Apple.

Most recently, in July, the group has been linked with ransomware attacks affecting, by some estimates, more than a thousand companies.

The scope of these attacks prompted some U.S. cybersecurity specialists to suspect that REvil is connected with the Russian government. Russia routinely ranks within the top 10 sources for cyberattacks, but Russian officials are not known for their prompt hacker investigations.

“We know that they are protected most likely by Russian intelligence or the Russian government, as are most ransomware groups, which has allowed them to flourish over the last 18 months,” Marc Bleicher, the managing director of Arete Incident Response, a U.S. company that has acted on behalf of REvil victims, commented to CNBC on April 23.

REvil disappeared from the darknet after a July 9 phone conversation between U.S. President Biden and Russian President Vladimir Putin.

In remarks to reporters, Biden stated that “I made it very clear to [Putin] that the United States expects when a ransomware operation is coming from his soil, even though it’s not — not — sponsored by the state, we expect them to act if we give them enough information to act on who that is.”

The president did not elaborate about the U.S. response to such an operation, but an anonymous senior administration official later told reporters that some of the response would be “manifest and visible” during “the days and weeks ahead,” according to the White House.

When asked by a reporter on July 9 if the U.S. itself will turn off the hackers’ servers if Russia does not take action against them, the president agreed.

The Kremlin, however, on July 14 claimed no knowledge of REvil or the reason why it had apparently ended its online presence. “I don’t know which group or where it disappeared from,” commented presidential spokesman Dmitry Peskov, when asked if there was a link between REvil’s inaccessibility and the Biden-Putin phone call.

SEE ALSO: In Russia, Summit With U.S. President Biden A PR ‘Win’ For Vladimir Putin, Analysts Say


Repeating points made by President Putin during his June 16 summit with President Biden, Peskov stressed that cybercriminals should be punished, and that Russia and the U.S. should cooperate to curb such activities.

But just because REvil has disappeared from the darknet does not mean it is gone, a Russian cybersecurity expert and hacker cautioned.

In fact, REvil itself could be the reincarnation of another aggressive Russian-language ransomware group that disappeared in mid-May, DarkSide.

In early May, DarkSide attacked the private U.S. pipeline operator Colonial Pipeline, which estimates it supplies 45 percent of the East Coast’s fuel.

The FBI was able to return $2.3 million out of the $4.4 million Colonial Pipeline paid as ransom to the attackers, but only after the company had been compelled to shut down its operations for nearly a week.

On May 14, DarkSide announced that pressure from the U.S. authorities had prompted it to stop its activities. But experts assumed that the group would continue its hacking under a different name.

“It’s the same as REvil’s ransomware, but with minimal changes,” commented Russian cybersecurity expert Igor Bederov, founder of the company Internet Security. “This makes experts question the reality of the DarkSide group. This same REvil could have hidden underneath it.”

Ransomware group names and composition are merely a formality, Bederov said.

“The individuals who write code, who spread ransomware, who turn funds into cash, are temporary players. The software remains the foundation.”

REvil and DarkSide’s similarities are not restricted to code and both of the groups’ mysterious disappearance within two months.

The groups share a common business model, noted Russian hacker Dmitry Artimovich.

“They made the same ransomware, payment gateway, and their partners, who get up to 80 percent of the ransom, work on infecting computers,” said Artimovich. “Therefore, if the group decided for some reason to stop its activities, everything is straightforward – cut off everything and disappear with the money, including the partners’ money.”

Money, rather than geopolitics, appeared to be REvil’s main interest.

Unlike most hacker groups working in ransomware, REvil actively took part in hacker forums and even gave interviews. In October 2020, an alleged REvil administrator, using the pseudonym Unknown, talked with the YouTube channel Russian OSINT, which tracks cybersecurity trends. (The channel recorded a voiceover for Unknown’s text responses to its questions.)

Unknown said that the group’s name was borrowed from Resident Evil, a popular series of computer games. He described his dream as earning $1 billion - $2 billion, “or five, if [our] mood is good.”

At the time of the interview, REvil’s annual revenue, according to Unknown, had surpassed a billion rubles – roughly $13.5 million.

The alleged REvil representative described the risks of his business in stark terms.

“Seriously, I won’t be surprised if they kill me,” commented Unknown, referring to unnamed individuals. “I’ll understand it.”

Researchers have not named murder as among the likely reasons for REvil’s apparent disappearance.

Bitcoin-wallet groups that are known to cybersecurity experts can clarify what happened to the REvil hackers, believes Artimovich.

“Maybe they’d attracted too much attention to themselves; maybe there was some falling-out within the team; someone stole all the Bitcoins and took off,” he theorized.

“This is a criminal business. You don’t go to the police here.”