Even after the recent arrest of alleged members of the REvil ransomware group, the group’s activities have not slowed down. Two weeks after the arrests, researchers have found that the RaaS enterprise is still active.

Nothing stopping REvil

It seems that the arrest of alleged REvil members has not fully impacted their operations. Data from ReversingLabs suggests that the group’s activities are ongoing.
  • Around the period of the recent crackdown, the researchers could spot a daily average of 47 new REvil implants.
  • After the arrests, the number of REvil implants dipped to 24 per day, but that again increased to 26 implants a day.
  • The group’s activity was at its peak in July 2021— the malware had an average of 87 daily implants. The rate, however, tumbled after the gang disappeared into thin air.

Have efforts gone in vain?

After being accused of allowing cybercriminals to proliferate within its borders, the Russian government had detained 14 suspects of the REvil gang a few weeks ago. Previously in November 2021, Europol had declared the arrest of seven individuals, who reportedly played a role in the REvil and GandCrab attacks.

Today, it is highly obscure whether these raids and arrests of high-profile arrests of affiliates are actually making a difference.


The recent revelations regarding the ongoing activities of the REvil ransomware group is a dangerous sign, that too at a time when we continue to see the emergence of new threats. Security teams and analysts worldwide must continue to collaborate and share threat intel to make an impact against such threats as a team.

Cyware Publisher