Ransomware group disappears

REvil, accused in vast hit, goes dark; victims left in limbo

A cybercriminal group that took responsibility for a ransomware attack that affected hundreds of businesses this month has disappeared from sight online.

REvil, which is thought to be based in Russia, was not in its usual places on the dark web Tuesday. Many researchers have blamed the group for the hack that hit technology services provider Kaseya just hours before the beginning of the Fourth of July weekend.

That attack affected a software used by hundreds of businesses and locked up victims' files so they could no longer access them. Organizations ranging from a grocery chain in Sweden to a school in New Zealand to small Maryland towns were racing to get their systems back online after the attack.

REvil's site went down early Tuesday, according to cyber analysts. The last known response from the group's servers was around 1 a.m. Tuesday, said Allan Liska, a researcher with cybersecurity firm Recorded Future.

"Someone went in and removed the IP address" linked to the group's site, which is reachable only on the dark web, a portion of the internet that is not easily navigable by search engine, said Dmitri Alperovitch, president of the think tank Silverado Policy Accelerator and former chief technology officer of the cyber firm CrowdStrike.

The reason behind the site outage is unclear. It could have been the result of a request by law enforcement -- British, American or some other government -- to the domain registrar. It could have been the group itself feeling pressured.

The servers do not appear to have been hacked, so this is unlikely to be an offensive cyber operation, Alperovitch said. He also said the fact that the domains were not fully seized made it doubtful that it was a law enforcement operation.

President Joe Biden told Russian President Vladimir Putin last week that the United States will take "any necessary action" to defend U.S. infrastructure, according to the White House.

White House national security adviser Jake Sullivan said the administration would announce new measures on ransomware in the coming weeks.

In any case, the site, which is where ransomware victims communicate with the group, submit payments and receive decryption keys, is now unreachable, creating a dilemma for those whose systems are locked up.

REvil demanded ransoms ranging from $45,000 to $5 million from the victims in exchange for a computer key that would unlock their files and hand control back to the companies. Many victims have refused to pay the ransom, working instead to restore backups for their many computer systems.

But for some, paying a ransom may have been the only choice to regain years of stored data.

Kurtis Minder, founder of the cybersecurity service GroupSense, said many small businesses that had been hit in the Kaseya hack and were considering paying the ransom to REvil are now stuck. Minder, who helps companies negotiate ransoms with hackers, said the websites being down means they can no longer negotiate with REvil to unlock their computers.

It's unclear why REvil's sites are down, but the outage could have the side effect of prolonging the damage to some of the group's most vulnerable targets, he said.

REvil, one of the largest ransomware-as-a-service groups operating today, first appeared in April 2019 and is thought to be an evolution of earlier hacking group GandCrab.

"We don't know if they were directly involved with GandCrab, an affiliate that took over the code or someone who straight up stole it," Liska said. "But the two code bases were very similar when REvil first appeared."

In some cases, cybercriminal groups have been known to offer up decryption keys even without ransom payments. This happened earlier this year in Ireland after the national health service was hacked. That ransomware group, Conti, finally handed over a key amid mounting public pressure.

But Liska said REvil is unlikely to do the same.

Upcoming Events