The sudden disappearance Tuesday of the payment, support and data leak websites of the Russian-based REvil ransomware group has sparked waves of speculation: was the criminal group the victim of an attack by a nation-state, pushed by Moscow to lie low for a while, or just content to sit on piles of cash?
Eric Milam, BlackBerry’s vice-president of research and intelligence, is among those suspecting the U.S. somehow had a hand.
“When I saw the press saying REvil was being taken down, or at least some of their sites weren’t responsive, I immediately thought back to recently when [U.S. President] Biden said with a wry smile, ‘We’re going to do something about [ransomware],'” Milam said in an interview.
“If I had to take a guess, I would say that it was probably political pressure from the U.S. to Russia, and then Russia to them [REvil].”
The disappearance of REvil [also called Sodinokibi by some researchers] online comes a week after the gang claimed responsibility for the cyber attack on the on-premises version Kaseya’s VSA remote IT monitoring suite, which spread malware to 60 managed service providers and 1,500 of their customers around the world. REvil has also attacked a number of other major firms including international meat producer JBS, which reportedly ended up paying $11 million to the gang recover its data.
But it’s as much a mystery, Milam added, as the recent loss by the Darkside ransomware group to access to its payment site after the attack on the U.S.-based Colonial Pipeline. The group “overstepped” and drew the wrath of Biden, he said, “and all of a sudden they were gone. My guess is that was a clandestine mission of the United States.”
“I think that what we’re seeing is the U.S. government is getting involved, and the folks [attackers] who aren’t necessarily nation-state sponsored are feeling the heat.”
After the Colonial attack U.S. leaders demanded that the country’s law enforcement and intelligence agencies strike back at ransomware groups, leaving some reportedly hesitant to launch attacks. As recently as last Friday, when asked at a press conference by a Reuters correspondent whether it would make sense to attack the Russian servers used in cyber attacks, Biden paused, smiled and said: “Yes.”
But Milam noted an alleged REvil spokesperson was quoted by a Russian website early in June saying it’s no longer trying to avoid U.S.-based organizations.
As for how long REvil will be offline, experts also differ. For one thing, REvil is a ransomware-as-a-service operation (RaaS), with numerous affiliates doing the initial reconnaissance and penetration of an organization, then deploying the REvil strain of the malware. Others note that REvil appears to have evolved from the GandCrab RaaS group, which announced in 2019 it was “retiring.”
Milam speculates it will “pack it up for a bit. Go on vacation.” But, he cautioned, “nobody goes away forever.” Even if it does, “that void will be … filled quickly.”
Robert Falzon, head of engineering at Check Point Software Canada, said one possible explanation is a “silent takedown” of the REvil sites by someone. “Though it might be too early to celebrate,” he said in an email, “another viable possibility is that the ransomware gang has decided to lay low, given all the attention and spotlight they’ve undergone recently from the Kaseya, Colonial Pipeline and JBS attacks. It’s possible that REvil has gone into ‘retirement’, or at least a temporary one, as they did with the GandCrab ransomware a few years ago. We recommend not jumping to any immediate conclusions as it’s early, but REvil is one of the most ruthless and creative ransomware gangs we’ve ever seen.”
Emsisoft estimates REvil has been responsible for more than 360 attacks on the U.S. public and private sectors this year alone. According to its calculations, REvil isn’t the most common ransomware strain found around the world. It is believed to have been used in just over nine per cent of attacks in the first quarter of this year. However, its targets are often large organizations, and therefore its attacks get headlines.
Ransomware groups will often lie low for a while and re-emerge under a different brand, or sell off their assets to another group to continue the attacks, noted Johannes Ullrich, dean of research at the SANS Institute.
“Branding and the trust coming with a well-known brand is as important for ransomware actors as it is for other companies,” he said in an email. “REvil was known as reliable in providing decryption keys after a ransom was paid, and has not leaked data of companies who paid. These well-known groups are able to ask for higher ransom payments compared to copy cats that are more like an “Amazon Marketplace” of ransomware and a victim never knows if they will get their data back after a payment is made.”
“The situation is still unfolding,” John Hultquist of Mandiant Threat Intelligence told CNBC on Tuesday, “but evidence suggests REvil has suffered a planned, concurrent takedown of their infrastructure, either by the operators themselves or via industry or law enforcement action.”
Vladimir Kuskov, head of threat exploration at Kaspersky, said in an email that “circumstances suggest that REvil might stop its operations, following the path DarkSide, Avaddon, and Babuk took” in going offline. However, like other groups that have temporarily disappeared, Kuslov believes REvil will return, either with its current name or a new one.