The malicious cyber group REvil, one of the most well-known attack groups in the world that is behind a series of ransomware attacks against leading companies, resumed activity after dropping under the radar about two months ago. The Bleeping Computer website reported that the group published stolen data files on a data leak site on the dark web during the last few days.
REvil, which is behind cyberattacks such as the one against giant meat supplier JBS, stopped its activity after a massive attack in July – in which about 1,500 companies in dozens of countries were hit – against the systems of Kaseya, which deals with remote management of computers. The group demanded a ransom of $50 million, which Kaseya made clear that it did not pay. Ultimately, the group provided the decryption keys and, as mentioned, disappeared from the dark web.
The members of the group are Russian speakers, and according to a predominant theory they operate from Russian territory, possibly with the Russian government cooperating or turning a blind eye. After the attack on Kaseya, U.S. President Joe Biden spoke with his Russian counterpart Vladimir Putin and called on him to take action to stop the activity of hackers from Russian territory. A month earlier, the two had met for the first time since Biden's inauguration as president, and spoke at length regarding the cyber field. Biden accused Putin of having a permissive approach towards the malicious groups, and promised an American response to every attack.
After the group's activity was halted, cyber researchers raised the possibility that there was indeed action by Russia, or perhaps by the Americans, to stop it. In an interview to the Politico website, a senior American official, who spoke on condition of anonymity, claimed "We have certainly noticed that (REvil) stood down their operations. We don’t know exactly why." As to the question of whether Russia was behind it, he responded "It's possible, I guess. Again, we don’t know exactly why they've stood down." Last Thursday, after the resumption of activity became known, the U.S. "cyber czar", National Cyber Director Chris Inglis, said it is too early to know for certain whether the Russian ransomware groups have stopped attacking American targets.