The REvil ransomware gang, implicated in the high-profile attacks on JBS and Kaseya, seems to have very suddenly disappeared from the internet. Cybersecurity researchers report that the entirety of the group’s infrastructure, from extortion pages to servers, has gone offline. The group has even closed up pages advertising its services on the dark web.
It may be that the Biden administration’s warning of more aggressive action scared the hackers into the shadows, but it may also be a tactical retreat. Ransomware groups have been known to disband when the heat is on and take an extended break, only to reform and reappear under another name — something that REvil has already done in the past.
REvil ransomware infrastructure goes dark, even on dark web
Security researchers do not know if the REvil ransomware group has made a permanent exit, but at the moment it has taken every element of its operation offline. This is the first time the group has made itself completely unavailable since it first appeared in early 2019.
REvil ransomware is something that can essentially be “rented” by other criminals, meaning that the group is generally very accessible on the dark web. But, for the first time, it has pulled all of that customer-facing infrastructure offline; payment portals, chat rooms and the informational extortion pages that are linked to when a target is infected with ransomware. Some researchers point out that individual elements of the group’s customer contact efforts, such as its infamous “Happy Blog,” have gone down for days at a time before. However, it has never taken down the entirety of its dark web setup for an extended period such as this before.
Neil Jones, cybersecurity evangelist for Egnyte, points out that this disappearance does not necessarily imply that the group’s attack capability is also gone: “When malware infrastructure goes offline- even temporarily- that’s obviously good news for businesses. However, I would encourage organizations not to let their guards down, and to continue with the proven detection and mitigation strategies that have gotten them through the recent ransomware crisis. Realistically, new ransomware infrastructure can be brought online quickly, so we all need to remain vigilant. While it’s too early to determine the cause of the sites’ outages, continual steps must be taken to thwart ransomware groups, and the public and private sectors must come together at the highest levels to challenge multi-million dollar cybercriminal gangs.”
US to be more aggressive towards cyber attackers
The move comes as US president Joe Biden has made statements about being more aggressive with cyber attackers, and said that he has pressed Russian president Vladimir Putin to take action against criminals operating from his territory. The Putin government has long tacitly allowed criminal hackers to operate from the country so long as they avoid domestic targets or any allied or foreign targets that might cause diplomatic or legal problems. REvil is among the groups that have really been pushing the limits of that unspoken arrangement as of late, with the REvil ransomware used against high-profile targets tied to critical infrastructure in the US. For their part, a spokesperson for the Russian government said that they are awaiting detailed information from US officials indicating that the attacks originated from their country. The White House says that it has already shared some information about the hackers with the Russian government.
The situation for those currently dealing with an REvil ransomware attack is unclear. The attack on management software provider Kaseya spiraled out to impact an estimated thousands of victims throughout the world. Some of those may have been planning to pay REvil to resolve the issue or were in the midst of negotiations with them, but with the group having pulled all of its dark web communications offline it is unclear what will happen to those that still have locked systems (and leaked data that could potentially be made public).
Biden had intimated that the US might attack Russia-based servers used by the REvil ransomware group if nothing was done. This has been done in foreign countries by the United States Cyber Command before, albeit sparingly. But the timing also indicates the possibility of a gesture of goodwill by Putin, with the disappearance of the REvil ransomware gang from the dark web coming just days before a working group agreed to by the two countries was set to have its first meeting.
Ransomware groups known disband and reappear under another name
Of course, REvil may well have opted to disband on its own due to mounting pressure. That is the path that appears to have been taken by its counterpart DarkSide, which similarly disappeared from the dark web and shut down all contacts after it was implicated in the attack on Colonial Pipeline that disrupted the US gas supply for a week. However, if that is the case, cybersecurity experts warn that the group will likely lie low for some time and then reform and get back to the business of ransomware attacks once it feels some of the heat has died down.
Prior to the group’s disappearance, REvil ransomware had been attributed to a string of attacks beyond the headline-grabbing compromises of Kaseya and meat packing giant JBS. These included Taiwan-based Apple contractor Qanta and a major law firm in New York thought to be handling a case related to former president Donald Trump. The group has already dissolved under pressure and reformed at least once before in its history; it started out as the GandCrab group, which went on a ransomware spree in 2018 that primarily targeted healthcare vendors and supposedly netted the group $2 billion in revenue. The Digital Shadows Photon Research Team advises that another change of form should be expected, possibly a split to smaller teams that resurface on the dark web: “While chatter about the outage is limited due to some Russian-language forums’ hostile attitude towards discussing ransomware, some threat actors have speculated that even if law enforcement agencies have successfully targeted REvil, this will not spell the end of the group’s activities. Some predicted that the group will reappear under another name or split into smaller groups to attract less attention. Further insights and commentary about this developing situation will likely appear during the next few days.”