It’s not unknown for ransomware gangs to disappear and return, or to disappear and return with a new name and business model.
But the history of the Russian-based REvil/Sodinokibi group this year is leaving cybersecurity experts baffled. The ransomware-as-a-service gang’s Tor payment sites went offline Sunday, reportedly because someone hijacked the gang’s domains.
This came after the gang’s payment, support and data leak websites went offline in July, only to return in September.
“Someone was able to compromise their private keys for their Tor service,” Chad Anderson, a senior threat researcher at Domain Tools, said in an interview Monday. “It looks like it’s going to be down for now.”
But, he added, like other ransomware gangs that come and go “they disappear for a bit, improve their product and come back with a new offering … The lure of the money is too big,” for criminal gangs to give up, he said.
Who turned against REvil and why is a matter of intense speculation among cybersecurity analysts.
Anderson and others say there are three possibilities:
—Revenge. REvil “already pissed off a lot of the [criminal ransomware] community when they put in a backdoor in their ransomware offering,” Anderson pointed out. This was a reference to reports that since at least 2020 posters on underground forums claimed REvil operators were taking over negotiations with victims in secret chats, unbeknownst to the affiliates who had discovered and infected victim organizations. In this scenario a crook holding a grudge decided REvil was going down for the count;
—A conspiracy. In this scenario the loss in July by REvil of some servers was the result of a police counter-strike after REvil’s attack on Kaseya. Cops brought it back online to scoop up more information from threat actors in September, got what they wanted and closed the doors again this weekend. We do know according to the Washington Post that the FBI somehow got hold of REvil’s decryption keys over the summer. The FBI told Congress it didn’t release the keys to victims so they could decrypt their data because they were preparing to seize REvil’s infrastructure. The group went down in July before that could happen;
–or it’s just another game by REvil’s operators.
This weekend’s second going of REvil was first reported on Twitter by Dmitry Smilyanets, a researcher with Recorded Future.
According to research on the history of a number of ransomware gangs that Anderson published earlier this year, the REvil ransomware family first appeared in April 2019 and is thought, due to code similarities, to be the spiritual successor to GandCrab, an earlier ransomware variant that targeted consumers.
By Domain Tool’s calculation, it grew to become the number three ransomware infection in terms of the number of victim organizations (after Conti and Maze). A threat intelligence firm called DarkTracer ranked REvil second just over a three-year period ending at the beginning of this month (286 victims compared to Conti’s 517).
Similar to many other ransomware variants, REvil only attacks a computer system if its language region is a country outside of nations close to Russia.
REvil samples will attempt to escalate privileges by constantly spamming the user with an administrator login prompt, Anderson’s research said, or will reboot into Windows Safe Mode to encrypt files because antivirus software rarely runs in safe mode.
The REvil strain uses the AES or Salsa20 encryption algorithms on victim files, which is a slightly unique signature, Anderson said.
As a ransomware-as-a-service operation, REvil uses affiliates to choose targets and deliver the initial compromise. Often malware is hidden in email attachments leveraging old vulnerabilities on unpatched machines. More recently, affiliates have used the Qakbot botnet worm, which, Anderson notes, is more effective than individual targeting of companies for most affiliates.
Anderson said there are likely no tears among fellow crooks if REvil really is gone. “In an already saturated space it’s got to be nice to lose a competitor,” he said. “REvil lost a little bit of goodwill with that backdoor.”