Has REvil Disbanded? White House Says It Doesn't KnowSpeculation Rages as Notorious Ransomware Operation Remains Quiet and Offline
What's up with REvil? Questions have been mounting since the notorious ransomware-as-a-service operation, also known as Sodinokibi or Sodin, went quiet on July 13.
Since REvil first appeared in mid-2019, the RaaS operation had racked up a huge number of hits, including the May 30 skewering of meat processing giant JBS and the July 2 attack unleashed via remote management software firm Kaseya's software, infecting about 60 of its managed service provider customers and up to 1,500 of their clients. (On Thursday, Kaseya said it had obtained a universal decryption tool to help all victims from a "third party." The company declined to say exactly how it obtained the tool, leading to speculation that it paid attackers.)
"No matter how patriotic you are as a hacker or how little you care about being arrested, when you get to that level of scrutiny, nobody wants that on them."
For the past two years, one of REvil's administrators, "Unknown," was a loquacious presence online, and the operation's "Happy Blog" data-leak site unrepentantly and regularly attempted to name and shame victims, sometimes also leaking stolen data to pressure victims into paying it a ransom (see: Case Study: A REvil Ransom Negotiation).
But then REvil went quiet on July 13. Its "Happy Blog" and payment portal - both hosted on the dark web, meaning they're only reachable via the anonymizing Tor browser - went offline and has stayed that way. No word has been heard from the leaders of the ransomware operation, who are believed to reside in or around Russia (see: What's Next Step for REvil Ransomware Victims?).
The news raises many questions. Is the gang laying low while it waits for the political heat to die down before rebooting under a different name? Flush with cash after receiving an $11 million ransom payment from JBS, did the operators decide to retire? Is Russia finally heeding calls from the White House to crack down on ransomware operations based inside its borders? Did the White House scuttle REvil's attack infrastructure?
White House: 'We Don't Know'
"We have certainly noticed that they’ve stood down their operations. We don’t know exactly why," a White House official, speaking on condition of anonymity, told Politico.
At a Sunday press briefing, a senior administration official told reporters that "at least from looking at the open source information, the REvil’s spokesperson’s account may have been banned from Russian hacking channels," and also that the "REvil infrastructure remains down." As of Thursday, that infrastructure continued to remain down.
"We think that’s a very positive thing," the official said. "This is a group that has brought tremendous negative impact to victims around the world."
But REvil is just one of many ransomware operations, as the official emphasized, and efforts to disrupt these criminal enterprises will continue for a long time to come.
"We’ve continued to convey to the Russian government that we hold Russia accountable for activities ... of criminals operating out of Russia," the official said. "And we continue to look for continued progress - clearly, not only in infrastructure being down, but in the more enduring way, in criminals who do these activities being brought to justice as well."
Cybercrime Ecosystem Reacts
REvil isn't the only ransomware operation to have recently changed its profile. DarkSide announced it would cease working with affiliates - the individuals who take the ransomware code developed by administrators, use it to infect victims and share in resulting profits - following the outcry generated by its attack against Colonial Pipeline, which supplies fuel for 45% of the East Coast of the U.S.
And with the apparent ban of REvil's spokesman from cybercrime forums, the forums' tolerance for ransomware seems to be scant, at least for the moment.
Bob McArdle, director of cybercrime research at security firm Trend Micro, says there's been a ban on all ransomware discussions on at least two of the largest Russian-speaking cybercrime forums following the May attacks by the DarkSide operation against Colonial Pipeline and by the Conti operation against Ireland's health service.
"People see them as two separate incidents. The other way to look at is: that's two United Nations Security Council members hit in the space of space of two weeks, both by Russian-speaking ransomware groups. That's going to become a presidential topic," McArdle tells me.
"No matter how patriotic you are as a hacker or how little you care about being arrested when you get to that level of scrutiny, nobody wants that on them. So there is definitely a push in the forums that - at least for now - for the time being, this is a topic that you cannot talk about," he says.
For more established ransomware operations, he says, the forum bans probably aren't having a big impact. Likewise, other operators have found creative ways of circumventing the bans, for example, by advertising for "pentesters" with experience breaching large corporate networks, he says.
Whether forum administrators' intolerance for ransomware will continue is not clear - just like the status of REvil.
This blog has been updated to reflect Kaseya on July 22 stating that it had obtained a decryption tool for all victims to use.