Last Week in Ransomware: Week of July 19th

This past week hasn't seen quite as much activity as others, likely due to the new ransomware task force created in the US and the mysterious disappearance of REvil and other gangs.
Michael Raymond
2 min read
Last updated January 17, 2023

This past week hasn’t seen quite as much activity as others, likely due to the new ransomware task force created in the US and the mysterious disappearance of REvil and other gangs.

The REvil ransomware gang’s online presence experienced a thorough overnight takedown, this included clearnet as well as darknet websites. It’s currently unclear who’s responsible but with how orderly it was there are two distinct possibilities. First that some nation-state such as a US agency or Russian agency took them out, or the group themselves decided that there was too much attention on their attack and scuttled their own ship. While the group’s “unknown” representative didn’t make an announcement this latter option seems the most likely. Odds are they’ll keep their heads down for a while developing new attacks then rebrand the group in a few months.

But everything’s not sunshine and rainbows for some victims of the REvil ransomware attack. When the sites went down they also took down any chance of decrypting your files. This left at least one victim struggling to decrypt. It’s also an important reminder to make sure to patch vulnerabilities before someone else comes along and tries to emulate what REvil was able to achieve.

Why would REvil scrap their own websites? Well in a slightly surprising move the US government took definitive actions against ransomware groups. First, they launched a task force to combat cybersecurity threats and primarily track down cryptocurrency transactions in the blockchain. The only time I’ll be able to tell how much they’re able to actually achieve playing mostly a reactionary role. Second, the US is offering a $10 Million Ransom for operations conducted by foreign governments. The casual observer might think the $10 million Ransom is aimed squarely at Russia and while that might be the case, it also seems that China wants in on the game as well. And lastly, the US published a ransomware website to inform the public and companies how best to protect themselves.

Not to be left out, Interpol also urged police worldwide to work together against the ransomware pandemic.

In similar but unrelated news Sodinokibi Websites and Infrastructure are Mysteriously Offline.

Additionally, SonicWall warns of ‘critical’ ransomware risk to EOL SMA 100 VPN appliances

And to round out the news for the week, in a surprise to no one, a recent survey found that 25% of ransomware attacks started through Phishing.

Ransomware Research

VMware ESXi isn’t quite as safe as it used to be, a new version of the HelloKitty ransomware has been discovered targeting Linux virtual machines.

There’s also a brand new report out on Mespinoza ransomware. Along with a new group called AvosLocker who may or may not be related to DoppelPaymer.

And in this week’s round of new ransomware variants, we have a few contestants:

Phobos is now using .LOWPRICE

Stop Djvu is using .wwka and .gujd

New Dharma is using .OFF .pause .PcS

Upcoming Security Conferences

Ransomware Live 2021 ( July 29 – 31)

This is the largest conference focused exclusively on the ransomware threat. It offers a great opportunity to grow your security knowledge and find new and innovative ways to protect your company.

BLACK HAT USA 2021 (July 31 – Aug 5)

Black hat is one of the largest annual security conferences. It’s the corporate version of Defcon and as such is a great opportunity to get face time with security professionals such as the Varonis team. Be sure to stop by our booth!

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:


Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.


See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.


Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

Last Week in Ransomware: Week of July 5th
Ransomware in the News Before we get to the major ransomware attack that occurred over the holiday weekend, let’s take a look at some of the other stories from the...
Last Week in Ransomware: Week of August 9th
This week saw the rise of a new ransomware group called BlackMatter and demonstrated even ransomware groups should worry about disgruntled employees.
Last Week in Ransomware: Week of July 26th
This week REvil Ransomware had a universal decryption key appear out of thin air and the US has accused China of ProxyLogon.
Last Week in Ransomware: Week of June 28th
Ransomware in the News If you’re a small or medium business using locally hosted cloud storage drives by a popular brand you need to disconnect them from the internet immediately....