Two prominent ransomware groups, who recently claimed to have shut down, now seem to be making a comeback again. These two ransomware groups are none other than Clop and REvil.

Clop revives again

According to researchers, after shutting down its entire operation from November 2021 to February 2022, Clop ransomware seems to be active again. 
  • Clop had an unexpected return with a jump from the least active threat in March to the fourth most active in April.
  • Its activity was noticed after the group added 21 new victims to their data leak site within a single month of April.
  • The most targeted sector was the industrial sector, where 45% of attacks hit industrial firms and 27% technology companies.
  • One theory says that the group is likely publishing the data stolen from these victims some time ago. The Clop group might finally be shutting down its operation after being inactive for a long time and is publishing data of all its previously unpublished victims before the final wrap-up.

REvil on the same path

The so-thought-defunct REvil ransomware group, allegedly, targeted one of Akamai's customers with a Layer 7 attack and demanded a ransom payment.
  • The group is claiming responsibility for a recent DDoS attack against a hospitality customer of Akamai.
  • However, researchers suspect that the attack could be a copycat operation instead of a resurgence of the cybercriminal group.


It is a common assumption that whenever a prominent ransomware group claims to shut down, it often makes a comeback with a rebranded version or new infrastructure. However, experts also suspect that these activities by Clop and REvil could be their final activities to wrap up their attacks in the pipeline. Researchers have not denied the possibility that these could be some copycat gangs, trying to threaten the victims by using names of top-shot threats. In either case, it is suggested to stay protected by taking backup of important data.
Cyware Publisher