REvil infrastructure disappearance sparks speculation about fate of infamous ransomware slingers
Ransomware groups periodically disappear, only to reinvent themselves under new branding.
Other possibilities include interdiction by law enforcement – US authorities have shown themselves more willing to actively dismantle cybercrime infrastructure of late – or even interference from rival cybercrime gangs.
The Sodinokibi ransomware, widely attributed to the REvil gang and distributed by affiliates through a Ransomware-as-a-Service (RaaS) business model, has been a scourge of corporate security over the last two years or more.
The group’s malware-fuelled cybercrime activity has intensified of late with the Kaseya supply chain attack, and it could be that the REvil crew have stepped back in order to allow things to cool off.
What is Sodinokibi? The ransomware behind the Travelex attack
The success of REvil in making millions of dollars means that a return in some form is perhaps the most likely scenario.
Oleg Skulkin, a lead digital forensics analyst at security firm Group-IB, commented:
REvil have either decided to shut down their infrastructure themselves to then start from scratch and continue working under a new name with updated tools (as it is was the case with Ako ransomware that then evolved to Ranzy) or, in another scenario, REvil infrastructure might have gone down as a result of a law enforcement operation.
REvil’s accounts on hacker forums have been blocked by the administration, according to Group-IB, as a precaution against law enforcement action on the forum. This disavowal suggests the denizens of the dark web think the authorities might have intervened.
“The possible police action against REvil isn’t likely to become a big problem for their affiliates since the latter jump from one ransomware-as-a-service program to another, or even work with multiple RaaS [suppliers] at the same time,” Skulkin explaine
Vladimir Kuskov, head of threat exploration at antivirus vendor Kaspersky, added that known REvil representatives have been banned from a darknet cybercrime forum.
“Resources related to REvil, which included a blog with information about their attacks, as well as payment sites, went offline,” Kuskov said.
“A representative of this group was also banned from a popular darknet forum where participants of this criminal industry communicate.”
The security pro added: “Why the websites went down is not yet clear, however, circumstances suggest that REvil might stop its operations, following the path DarkSide, Avaddon, and Babuk took.”
REvil is a Russian-speaking RaaS operation that’s thought to be based in Russia. The group avoids targeting Russian institutions via system language detection that’s built into the malware code.
The US has threatened retaliation against Russia in the wake of the Kaseya attack and this could be a factor in the shutdown.
“My guess is that it was political pressure, from the US to Russia and Russia to them,” according to BlackBerry threat researcher Eric Milam, who has previous done extensive research into the threat actors.
Milam told The Daily Swig: “When the spotlight is on a criminal group, they may choose to step away for a while.
“They often use this time to make a ‘better product’ and come back later. This is not unlike companies that start to get a bad reputation, they tend to rebrand themselves and come back as something ‘different’, even if it’s just their name.”
Some evidence suggests that REvil sprang from the ashes of GandCrab, an earlier and now defunct ransomware operation.
Milam and his colleagues are well placed to attribute further attacks to those behind REvil, should the gang return.
“Our team would focus mainly on the hard evidence of any new variants,” Miam explained. “That would include things like fingerprinting the file/code, the modes of operation, location of attacks, etc. Most attackers won’t really change their core techniques.”