On Tuesday morning the Ransomware-as-a-Service (RaaS) group REvil, perpetrator of the high-profile Kaseya ransomware attack, was nowhere to be found on the dark web. Its entire online infrastructure, including the ‘Happy Blog’ where it threatened to post sensitive data should a victim refuse to pay up, had been taken down. International law enforcement agencies may be behind REvil’s demise, but it is also possible the threat actors running the group decided to take it offline and will resurface in a different guise.
REvil is one of the most creative and notorious ransomware gangs at large. Thought to be based in Russia, its malware, also known as Sodinokibi, has been found at the centre of two of this year’s biggest attacks. In June the gang targeted the world’s largest meat processing company JBS which paid $11m in bitcoin (BTC) to retrieve its systems. Most recently the managed service provider (MSP) Kaseya was targeted, resulting in the encryption of data from up to 1,500 SMEs worldwide. REvil offered a universal decryption code for the companies affected by the Kaseya attack for a price of $70m in bitcoin, the largest known ransom demand so far.
Experts that spoke to Tech Monitor believe one of two things has happened to REvil. Either it has been removed by Russian security officials after US president Joe Biden put pressure on the Kremlin to take action following the recent attacks, or the group itself has taken down its own infrastructure because of all the attention it has been receiving, a tactic that has already been used this year by fellow RaaS group DarkSide.
Was REvil taken down by law enforcement?
President Biden has been ratcheting up the pressure on the Russian government to support the US and other western countries affected by ransomware breaches. "It was interesting that the first Biden-Putin summit last month brought up cybersecurity and ransomware," says Emily Taylor, CEO of cyber intelligence company Oxford Information Labs. "That's not happened before. Also, Biden seemed to be making veiled threats of reprisals."
On Saturday it was revealed President Biden had called Russian president Vladimir Putin to talk about the Kaseya attack and other ransomware threats. "I made it very clear to him what the United States expects when a ransomware operation is coming from his soil. Even though it's not sponsored by the state, we expect them to act if we give them enough information," a statement from the president read.
Because of this, the team at cybersecurity company Digital Shadows believes "it is realistically possible that a law enforcement agency has targeted REvil and taken down its infrastructure". However, others say this is unlikely due to the breadth of Tuesday's action, which covered multiple providers and would therefore have been difficult to co-ordinate by anyone other than REvil itself. An alternative theory is that the group may have been persuaded by the Russian Government to go dark to keep the Americans happy.
"Is this the US cyber command taking them out? Is this the Russian state tweaking them and saying lie low for a bit?" asks Taylor. "The most likely outcome, we think, and it's happened before, is that they're lying low and rebranding."
Is REvil just laying low and what happens next?
This would not be the first time a RaaS gang has expunged itself from existence online in order to either deflect some of the heat emanating from its recent crimes, or to simply retire the name altogether to re-emerge with a new name and a clean slate. DarkSide implemented this tactic after the Colonial Pipeline attack and GandCrab, publicly retiring in 2019 after claiming it had made $2bn since it became active in 2018.
What seems certain is that the threat actors behind REvil will reappear in some shape or form due to the massive rewards which can be garnered from ransomware attacks. If not, others will soon emerge to take their place. "The high financial gains attached to attacks of this nature will no doubt entice some other threat actor to fill the void," says lead cybersecurity researcher at CyberInt, Jason Hill.
Claudia Glover is a staff reporter on Tech Monitor.