Where Did REvil Ransomware Go? Will it Be Back?

Speculation swirled over why the prolific and dangerous REvil ransomware went offline – blog, payment processing, all suddenly went kaput – it’s important not to lose sight of the bigger issues. While the ransomware is gone, at least for the time being, there’s a good chance they’ll be back under another franchise. And ransomware threats still loom large.

“I don’t know what this means, but regardless, I’m happy!” tweeted Katie Nickels, director of intel at Red Canary. “If it’s a government takedown–awesome, they’re taking action. If the actors voluntarily went quiet–excellent, maybe they’re scared.”

But, she wrote, “It’s still important to remember that this doesn’t solve ransomware.”

And previous victims might not share that same sense of elation. “If there are victims who have paid and are waiting for software to decrypt their data/systems, then they are in a very tough predicament,” said Nasser Fattah, North America Steering Committee Chair at Shared Assessments.

Calling the “inaccessibility of the REvil ransomware group’s websites … unusual because the group’s infrastructure has historically been more stable than that of other ransomware groups,” the Digital Shadows Photon Research Group floated the idea that “the outage could be down to temporary technical issues or upgrades, or it could signify a law enforcement disruption of the group’s operations.”

While most security pros in the private sector and in government were caught off-guard by REvil’s abrupt departure, the move wasn’t a real surprise. In retrospect, REvil’s representatives had “not appeared on high-profile Russian-language cybercriminal forums for several days,” Digital Shadows researchers said.

What’s more, “ransomware gangs operating in Russia were on borrowed time the second Colonial was hit,” said Jake Williams, CTO and co-founder of BreachQuest.

“Once a gang gets visibility and publicity, just like REvil; they pretty much become public enemy number one,” said Saumitra Das, CTO and co-founder at Blue Hexagon.

That’s something that could have been top-of-mind for REvil recently after hitting 360 targets in the U.S. this year. A flurry of activity from the group preceded its disappearance–culminating in the July 4, 2021 weekend attack on managed service provider Kaseya – as did stern warnings from U.S. president Joe Biden to Russian president Vladimir Putin to flush out the cybercriminals the country harbors or feel the wrath of the U.S.

After tough talk with Putin, it is unclear what specific steps the Biden administration planned to take in retaliation for the most recent spate of ransomware attacks, or even if REvil going dark reflects action taken by the U.S.

“The U.S. has unsurpassed red team abilities at least a decade ahead of our adversaries,” noted MeasuredRisk founder Tom Albert.

Bryson Bort, Scythe and GRIMM founder and CEO, is betting on at least some minimal action by the U.S., tweeting, “Pwned by [insert USG agency] – infrastructure only, probable; anything more, doubtful[;] FSB shut them down – sadly, but laughably doubtful.”

Calling REvil’s disappearance “a very enticing set of circumstances,” Dave Cundiff, vice president of member success at Cyvatar, said, “It would be wonderful to believe that the Russian president took Biden at his word and did the responsible thing as a world leader by arresting REvil for committing crimes within the borders of Russia.”

Putin and his cohorts may have adjusted their perspective more recently. “The Russian government didn’t care about the cybercrime occurring within its borders, so long as it didn’t impact Russia itself,” said Williams. “That has clearly changed–the Russian government can clearly see they are being impacted by the actions of these actors.”

But, “based on previous behaviors of groups like this, it is more likely that either REvil decided to close shop temporarily to allow for our collective attention to shift to some other threat, or—if the group is more directly under the control of government agencies within Russia—that their controllers may have directed a change of identity or some similar activity,” said Cundiff.

And therein lies the rub. REvil may have “simply rebrand[ed] like so many groups have (likely including REvil itself),” said Williams.

“Dissemination and pulling a disappearing act is the only logical step for them followed by a possible release of their code base in hopes that other ransomware authors will pick up the trail and muddy the waters when it comes to any agencies investigating them,” said Das.

While REvil going offline is a positive step, “it is only a matter of time before another ransomware incident takes place,” warned John Vestberg, CEO and co-founder of Clavister. “In particular, critical national infrastructure, such as oil and gas, is a prime target for ransomware gangs—systems are underpinned by a myriad of complex information and operational technology devices, and so the consequences if these are infiltrated can be devastating.”

Organizations with huge supply chains and large customer bases offer ransomware gangs the “opportunity for wide-ranging effects which makes those impacted more likely to pay up, either individually or collectively,” Vestberg said.

So, the real question “is not what happened to REvil,” said Vectra President and CEO Hitesh Sheth, “it’s how we defend against a constantly changing threat matrix where REvils come and go like trains at Grand Central.”

“Whether REvil is back in business next week with a new name or succeeded by a similar ransomware power makes no difference,” said Sheth. “We assume the challenge is ongoing. The best response is for every organization to emphasize a security-first IT strategy.”

That is, he said, “how we build a more secure digital future.”

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard
Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 142 posts and counting.See all posts by teri-robinson