Security Experts:

Connect with us

Hi, what are you looking for?



REvil Ransomware Operations Apparently Unaffected by Recent Arrests

The REvil (Sodinokibi) ransomware cooperative’s activity has not slowed down following Russia’s recent move to arrest several alleged members of the group, according to threat intelligence company ReversingLabs.

The REvil (Sodinokibi) ransomware cooperative’s activity has not slowed down following Russia’s recent move to arrest several alleged members of the group, according to threat intelligence company ReversingLabs.

Two weeks have passed since Russia’s law enforcement agency FSB announced the takedown of the REvil group “at the request of US authorities,” but the ransomware-as-a-service (RaaS) enterprise remains as active as before.

After long being accused of allowing cybercriminals to proliferate within its borders – as long as Russian nationals or organizations are not hurt – Russia appeared set to send a different message with the arrest of 14 members of the REvil gang, even if some saw it as a political move – amidst the increasing tensions at the Ukraine border.

However, as ReversingLabs points out, the high-profile arrests of affiliates did not put a dent in REvil operations. In fact, the group is continuing operations at the very same pace as just before the arrests.

[ READ: Five Key Signals From Russia’s REvil Ransomware Bust ]

In November 2021, Europol announced the arrest of seven individuals involved in the proliferation of REvil and GandCrab ransomware attacks (the arrests were made over a period of 7 months), at which time ReversingLabs was seeing an average of 47 new REvil implants daily (326 per week).

That number was higher compared to September (43 new implants per day – 307 per week) and October (22 new daily implants – 150 per week), but much lower compared to July (87 daily – 608 per week), when the group went offline.

Following Russia’s arrests, the number of observed REvil implants increased from 24 per day (169 per week) to an average of 26 implants a day (180 per week).

“While it’s true that more time may be needed to assess the full impact of the arrests on REvil’s activity, the data so far would suggest that it is ‘business as usual’ for the ransomware gang,” ReversingLabs notes.

[READ: Dark Web Chatter: What Other Russian Hackers

Are Saying About the REvil Arrests ]

“Threat groups exploit regionalised regulation, and distributed organizational structure with sovereign state safehousing, all while leveraging a ‘no-rule’ borderless attack strategy. That makes it ever harder for national and international criminal policing organizations to put an end to threat groups such as REvil,” ReversingLabs senior threat researcher Andrew Yeates says.

While coordinated action against REvil infrastructure may have had short-term impact on the RaaS’s prevalence, much stronger action is needed to indeed halt the cybercrime ring’s activities, especially given the corporation-like structure of the group, where affiliates are launching attacks and receiving payments.

Thus, eliminating only affiliates doesn’t take down the core of the RaaS and allows it to continue operations. On the other hand, if only the core is eliminated, affiliates can either rebuild the enterprise or migrate to a different RaaS, and this is true for other similar cybercriminal organizations as well.

Related: SecurityWeek Cyber Insights 2022: Ransomware

Related: REvil Ransomware Gang Hit by Law Enforcement Hack-Back Operation

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.