Earlier this year, Russian authorities effectively shut down the REvil ransomware gang after the arrest of several of its members. It was announced the operation was successful after Russian and U.S. law enforcement agencies cooperated to identify and locate the members of the gang. This cooperation caused threat actors to panic, and many members discussed on dark web forums that this may mark the end of ransomware. Prior to the arrests, threat actors believed there was an unwritten rule that allowed cyber criminals to operate within Russia so long as they did not attack organizations with Russian interests. After Russia’s unprovoked invasion of Ukraine, the United States halted all cooperation with Russia and condemned their actions in Ukraine. This led to a breakdown in investigative cooperation between Russian and U.S. law enforcement agencies regarding cybercrime. Recently, researchers and members on criminal forums have noticed REvil’s Tor infrastructure has come back, although users are redirected to a site for an unnamed ransomware operation. There was discussion surrounding REvil’s return, with many dark web users believing the group now works directly for Russian authorities. BleepingComputer reported that multiple threat researchers obtained a malware sample that indicates REvil has returned. Researchers believe that one of the previous core developers has relaunched the operation.