After roughly two months of hiatus, the REvil group’s dark web servers are active again. The group suddenly went offline in July.

What has happened

In July, the REvil gang had targeted the Kaseya VSA remote management software and demanded $70 million. After that, the gang faced increased pressure from law enforcement and soon it shut down.
  • Now, REvil’s payment, negotiation, and the Happy Blog data leak sites have suddenly come back online. The last victim that the ransomware gang added on its data leak site was on July 8, five days before its disappearance.
  • The data leak site is working normally, however, the Tor negotiation site is still not fully operational. It is displaying the login screen, although it does not allow victims to log into the site.
  • Its http://decoder[.]re/ is still not active and it is not confirmed that the REvil gang is back in action. The servers could have been turned on by mistake or due to the actions of law enforcement.

The sudden disappearance of REvil

In July, the helpdesk chat, payment site, negotiation portal, and public site of the REvil ransomware gang suddenly became offline. Thus, it was assumed that the group was shutting down. 
  • At that time, it was believed that the reason for the sudden disappearance was due to a dialogue between the U.S. and the Russian governments, along with pressure from law enforcement agencies.
  • Surprisingly, some threat actors on the forum had forecasted that the group will make an appearance again in the near future. This statement was made by looking at the trend of re-branding of ransomware groups.


The reason behind the recent activity of REvil is not clear at present. However, even if the ransomware gang is coming back, it will not be that surprising as ransomware gangs are known to do so. However, in the case of REvil, it cannot be denied that the restart was a potential mistake or due to some action taken by law enforcement.

Cyware Publisher