REvil Arrests Disrupted the Gang but Failed to Stop Its Reemergence
Law enforcement action against REvil dismantled key parts of one of the most prolific cybercriminal operations, leading to arrests tied to the ransomware gang’s infrastructure and operators. The takedown marked a significant blow against a group long associated with high-impact extortion campaigns, affiliate-driven ransomware activity, and attacks that disrupted organizations across multiple sectors.
Despite those arrests, REvil’s reemergence showed how resilient major ransomware ecosystems remain after headline enforcement actions. The group’s return underscored the persistence of its criminal model, in which branding, tooling, and affiliate relationships can survive leadership disruption, allowing extortion operations to resume even after authorities seize infrastructure and detain suspected members.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Trellix publishes analysis of REvil arrests and reemergence
Trellix published a blog post titled "Dismantling a Prolific Cybercriminal Empire: REvil Arrests and Reemergence," indicating analysis of the REvil cybercriminal group's arrests and subsequent return. No further event details are provided in the reference content.
REvil disruption impacts its ransomware-as-a-service operation
By 2021-10-25, reporting described REvil as disrupted, with consequences for its ransomware-as-a-service model and broader affiliate ecosystem. This reflects a distinct development in the group's operational status preceding later analysis of arrests and reemergence.
REvil members claim shutdown after infrastructure takeover
On 2021-10-19, messages attributed to REvil operator '0_neday' said the group was ending operations after losing control of its infrastructure and amid internal conflict. Reporting said someone had taken over REvil's Tor payment portal and leak site, possibly using keys belonging to the missing spokesperson 'Unknown'.
REvil ransomware operation shuts down again
Security reporting said the REvil ransomware operation went offline again, marking a renewed disruption to the group's infrastructure and activity. This shutdown predates later reporting that described broader impacts on its ransomware-as-a-service operation.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Dismantling a Prolific Cybercriminal Empire: REvil Arrests and Reemergence
trellix.com
Open sourceREvil Ransomware Disrupted: Impact on RaaS &...
kelacyber.com
Open sourceRevil tire (encore) sa révérence - ZDNET
zdnet.fr
Open sourceREvil ransomware operation shuts down once again
securityaffairs.co
Open sourceREvil ransomware operation shuts down once again
securityaffairs.com
Open sourceMoscow court charges 8 alleged REvil ransomware hackers | ZDNET
zdnet.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
REvil Threat Actors Show Signs of Returning
Palo Alto Networks Unit 42 reported that **REvil** threat actors may have resumed operations, indicating possible renewed activity from one of the most prominent ransomware groups. The report focuses on signs that the group, previously linked to high-profile extortion campaigns, may be re-emerging after a period of disruption and apparent inactivity. A return by REvil would raise concern for organizations because the group has been associated with aggressive ransomware deployment, data theft, and double-extortion tactics. The reported activity suggests defenders should closely monitor for indicators tied to **REvil** tooling, infrastructure, and tradecraft as the group may attempt to rebuild its presence in the ransomware ecosystem.
May 26, 2026
Operation GoldDust Arrests REvil Affiliates and Disrupts Ransomware Network
Romanian authorities arrested two suspected **Sodinokibi/REvil** affiliates as part of **Operation GoldDust**, a multinational law-enforcement campaign targeting operators tied to both REvil and **GandCrab**. Europol said the suspects were linked to roughly **5,000 infections** and about **€500,000** in ransom payments, while the broader group of arrested affiliates was suspected of around **7,000 infections** and demands exceeding **€200 million**. Since February 2021, authorities in 17 countries, working with **Europol**, **Eurojust**, and **INTERPOL**, had arrested seven suspects connected to the two ransomware families, including a REvil affiliate associated with the **Kaseya** supply-chain attack and other suspects detained in South Korea and Kuwait. The arrests followed wider pressure on REvil’s ransomware-as-a-service operation after its infrastructure was disrupted and its public-facing sites went offline. Reporting indicated the gang shut down after **U.S. Cyber Command** hijacked one of its sites and the operators realized they had been compromised, adding to the strain from coordinated international investigations. Europol said private-sector partners including **Bitdefender**, **KPN**, and **McAfee Enterprise** supported the operation with technical analysis and decryptors distributed through **No More Ransom**, enabling more than **50,000 decryptions**, helping over **1,400 companies** recover from REvil infections, and preventing losses worth hundreds of millions of euros.
May 25, 2026
Conti Ransomware Syndicate Dismantles Brand and Splinters Into Smaller Operations
The **Conti** ransomware syndicate took key parts of its digital infrastructure offline, including sections of its leak site, victim negotiation portal, and internal systems, in what researchers described as a deliberate reorganization rather than a direct law-enforcement takedown. Security firms and reporting tied the move to mounting pressure after a pro-Ukraine insider leaked Conti’s internal chats and tools, exposing the group’s structure, workflows, and links to Russia. The leaks followed Conti’s public declaration of support for Russia after the invasion of Ukraine, a stance that triggered internal backlash and gave investigators an unusually detailed view into one of the world’s most prolific ransomware operations. Researchers said Conti’s shutdown did not mark the end of its activity but a **rebranding and dispersal of personnel** into smaller, harder-to-track units and other extortion groups, including operations such as **ALPHV/BlackCat**. Subsequent reporting indicated former Conti members continued to repurpose the gang’s tooling in campaigns tied to Ukraine, including lures exploiting the **Follina** vulnerability and impersonation themes involving Elon Musk. The episode also underscored why sanctions and disruption efforts struggle to permanently dismantle ransomware groups: even when a major brand collapses, its operators, malware, and playbooks often persist across successor crews.
May 25, 2026