REvil gang suddenly goes silent leaving victims unable to recover systems

All REvil websites went offline on Tuesday, leaving security experts and victims to speculate on the reason why.

Ransomware  >  A masked criminal ransoms data for payment.
Mikkel William / Getty Images

The dark web sites operated by the notorious REvil ransomware group suddenly went offline on Tuesday, prompting speculation that the US or Russian governments stepped in. Meanwhile, victims and the security companies working for them to recover data have been put in a more difficult situation.

"Victims have been left without the ability to recover the decryption software necessary to restore encrypted networks, our clients being among them," Mike Fowler, vice president of intelligence services at GroupSense, a company that provides ransom negotiation services, tells CSO. "It is our hope that the organization responsible for the takedowns was able to gather the necessary software needed to provide the decryption keys when supplied with the victim-specific encryption keys. If not, we consider it computationally infeasible that the victims will be able to recover their data via other means."

REvil goes dark

Multiple cybercrime intelligence firms including Emsisoft, Group-IB and GroupSense, have confirmed to CSO that REvil's websites became unavailable on Tuesday. This includes the website used by the group for public communication and to list victims in an attempt to shame them, as well as the payment site that allowed victims to determine the ransom amount and communicate with the attackers through a web chat interface.

While it's not yet confirmed what caused this disruption, members of the cyber threat intelligence community believe it is the result of a government or law enforcement operation that targeted REvil's activities. The incident comes after President Joe Biden warned Russian President Vladimir Putin on Friday that the United States is ready to take action if ransomware groups operating from Russia are not stopped.

"I made it very clear to him that the United States expects, when a ransomware operation is coming from his soil even though it's not sponsored by the state, we expect them to act if we give them enough information to act on who that is," Biden told reporters.

The President added that the two governments have set up a way of communicating on a regular basis on cyberattack issues that impact the two countries and declared himself optimistic. Responding to a question from reporters on whether the US government could attack servers in Russia that are involved in such cyberattacks in retaliation, President Biden answered, "Yes."

REvil gang a key ransomware player

REvil, also known as Sodinokibi, appeared in 2019 and is one of the most active and successful ransomware operations. Security researchers believe the group behind it had its origins in another notorious and now defunct ransomware gang known as GandCrab. Like most ransomware threats in recent years, REvil is operated as a cybercriminal service where the creators of the malware work with other groups known as affiliates to distribute it inside victim networks. Based on reports, affiliates can get a cut as high as 70% of the ransom payments.

REvil has been one of the most frequently encountered ransomware infections over the past year according to reports from security companies, but the group attracted widespread media attention last week after one of its affiliates exploited zero-day vulnerabilities in a systems management and monitoring tool developed by a company called Kaseya. The supply-chain attack resulted in the compromise of over 30 managed service providers (MSPs) from around the world that used the tool as well as over 1,000 businesses whose systems were managed by those MSPs. Last month, the REvil ransomware was also used in an attack against the US subsidiary of JBS, one of the world's largest meat processing companies.

These high-profile ransomware incidents follow another attack in May, where the network of fuel transportation company Colonial Pipeline was infected with another ransomware strain known as DarkSide, leading to fuel shortages along the US East Coast. Cybercrime intelligence firm Flashpoint reported at the time that DarkSide was based on REvil and was likely created by a former REvil affiliate.

The DarkSide group shut down its operations after the Colonial Pipeline attack attracted too much attention from the US government and the FBI managed to seize some of the cryptocurrency that was used to make the ransom payment that allowed the company to recover. It is possible that the REvil group decided to voluntarily shut down its activities, too, especially since it was specifically named by the White House in the context of communicating with the Russian government on taking action against ransomware.

Reason for REvil disappearance unknown

However, it's also possible that either the Russian law enforcement agencies acted following President Biden and President Putin's latest discussion, or that the US government used its offensive cyber capabilities to take down REvil's infrastructure.

"At this point, it’s unclear whether the outage is temporary or permanent or the result of action taken by law enforcement," Brett Callow, a threat analyst at Emsisoft, tells CSO. "If the outage is permanent, it would create problems for victims as paying the demand would not be an option -- unless, of course, the operators' keys were to be surrendered or obtained by other means."

GroupSense’s Fowler believes that these particular REvil websites will not return but noted that unless those responsible for the REvil platform were actually arrested, they will just move on to other existing ransomware groups or set up new ones. "Ransomware groups such as REvil tend to follow a 'hydra' cadence – when one head is chopped off, two more appear in short order," he says.

Copyright © 2021 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations