Following the recent event, when REvil ransomware‘s infrastructure was taken down by law enforcement, the Groover ransomware gang has begun to react to what happened. So they have started to ask extortion groups to engage in attacking the interests of the US.

REvil Ransomware Taken Down

The infrastructure of the REvil ransomware was taken down during the weekend, on the 17th of October, after their web domains were compromised by a third party. A REvil ransomware operator noticed that some anonymous party engaged in altering files to trick the threat actor to access a website that was under the same party’s control.

Here is a post from a forum in this sense:

forum-post REvil

Image Source

It was then confirmed by the news organization Reuters that law enforcement together with the FBI managed to take down REvil’s operation.

Groove Ransomware Gang Reacts

Groove Ransomware gang started to react to what happened and according to BleepingComputer publication, they said in a Russian blog post published on the 22nd of October that they were appealing to the other extortion groups to join efforts and start targeting US interests.

The same blog post, however, warns that Chinese companies should not be targeted, as this will be their hideaway if Russia will start to take severe measures against cyberattacks.

In our difficult and troubled time when the US government is trying to fight us, I call on all partner programs to stop competing, unite and start xxcking up the US public sector, show this old man who is the boss here who is the boss and will be on the Internet while our boys were dying on honeypots, the nets from rude aibi squeezed their own… but he was rewarded with higher and now he will go to jail for treason, so let’s help our state fight against such ghouls as cybersecurity firms that are sold to amers, like US government agencies, I urge not to attack Chinese companies, because where do we pinch if our homeland suddenly turns away from us, only to our good neighbors – the Chinese! I BELIEVE THAT ALL ZONES IN THE USA WILL BE OPENED, ALL xxOES WILL COME OUT AND xxCK THIS xxCKING BIDEN IN ALL THE CRACKS, I myself will personally make efforts to do this.


According to the same publication mentioned above, a Dutch bank threat intelligence expert shared with their journalists that in July 2021 the launching of RAMP took place, a hacking forum started by “Orange”, a cybercriminal who split from Babuk ransomware. However, he still had access and control of the Babuk Tor website and he made use of it to make possible the launching of this forum. He was the forum’s admin and he is also said to be part of the Groove operation. As they say, Orange might have announced recently the intention of a new operation, without many details and he acted in this sense by beginning to pursue US hospitals and government agencies network access purchase.

Therefore, BleepingComputer says that the two pieces of information are related, apparently this call to action from the Groove ransomware group having been planned for a while and somehow what happened with REvil made the threat actors behind Groove start acting.

However, it is not known yet what the results of this Groove group call to action will be or how will these cyberattacks unfold.

If you enjoyed this article, you’ll surely enjoy other pieces of content too. To make sure you do not miss a thing follow us on LinkedInTwitterYouTubeFacebookand Instagram to keep up to date with everything we post!

REvil/Sodinokibi Ransomware: Origin, Victims, Prevention Strategies

REvil Ransomware’s Tor Sites Were Hijacked

Ransomware Explained. What It Is and How It Works

Leave a Reply

Your email address will not be published. Required fields are marked *