What’s going on with REvil, the gang pursued by the US government?

After two massive attacks in quick succession, the REvil ransomware operators disappeared from the Internet. For how long ?

“We will work diligently to bring malicious actors to justice “. At the beginning of June 2021, the American authorities put the REvil gang in their sights. The group of cybercriminals had infected JBS, one of the largest companies in the food industry, with its ransomware. This was a success, as the victim agreed to pay the ransom of $ 11 million to obtain the decryption keys and restart his activity as soon as possible.

Over a month later, on the night of July 12 to 13, all of REvil’s sites went offline, as the Bleeping Computer, the leading ransomware media, spotted. Some were dedicated to negotiating ransoms, others to publishing stolen data or even promoting gang activities.

End clap for REvil? // Source: Louise Audry for Numerama

Most were “.onions”, accessible only through the Tor network, which commonly qualifies them as part of the “dark web”. Usually, they can go offline at regular intervals due to the relative instability of the network. But their simultaneous disappearance is surprising, especially since even the group’s site on the ” clear web »Is no longer accessible. Sufficient clues to question the future of the group?

American pressure, stronger than ever

The story does not end there. The afternoon following the disappearance, a LockBit representative (REvil’s competing gang) posted on the popular Russian cybercriminals XSS forum: “Based on unsubstantiated information, REvil’s infrastructure received a legal request from the government, which forced REvil to completely wipe out its servers and go out of business. However, this is not confirmed. In the process, the administrators of the forum banned “Unknown” the spokesperson of the gang. As the Bleeping Computer points out, this kind of measure usually aims to protect the forum when the user is suspected of having been compromised by the police.

Earlier in the week, President Joe Biden claimed he had contacted his Russian counterpart Vladimir Putin again to help arrest the ransomware operators. Historically, the Russian authorities let cybercriminals who operate on its territory do it, as long as they do not attack the countries of its sphere of influence. But since the start of the year and the Colonial Pipeline affair, the United States, supported by their G7 allies, have been putting real diplomatic pressure to change this posture.

“The United States will take any necessary action”

Their rhetoric recently hardened even further, with Biden saying that ” the United States will take any action necessary to defend its people and critical infrastructure “, While a spokeswoman for the White House threatened a few days earlier with an American intervention on Russian territory” if the Russian government cannot or does not “.

It must be said that the warnings issued after the JBS affair did not prevent REvil from striking again, and even harder. They successfully exploited a vulnerability in Kaseya software to deploy their ransomware to over a thousand corporate networks. Then they demanded a ransom of $ 50 million to unlock everything, or expensive underpayments for each network.

Where has REvil gone?

As long as the disappearance of REvil will not be commented on by the main concerned or by the authorities, we can only theorize about the reasons:

  • A temporary stop for technical reasons. This is the least likely hypothesis, but it cannot yet be ruled out. REvil may reappear as is, possibly with updates.
  • A voluntary shutdown, as a precaution. This is the most serious track. REvil would thus follow in the footsteps of Darkside (involved in the Colonial Pipeline affair) and Babuk (who ransomed the Washington DC police). These two groups of cybercriminals voluntarily unplugged their infrastructures before the authorities reached them. This kind of early shutdown is more about removing traces, before it’s too late, than putting an end to the activity. So, several Babuk members simply launched a new site with a new version of the ransomware. This is not an isolated case: “rebrandings” are common in cybercriminal circles. REvil itself was created by members of Gandcrab, a ransomware that went missing in 2019, and it wouldn’t be surprising if they changed their name again. Likewise, the torch of the famous Maze was taken up by Egregor. Or, cybercriminals simply took early retirement with millions of dollars.
  • Dismantling by the police. With the dismantling of organizations like Emotet or TrickBot, the authorities have recently proven that they manage to punctually handcuff the hands of cybercriminals, and seize their infrastructure. If this were the case for REvil, it would be the result of a very rare collaboration between Russians and Americans.

Related Articles