REvil vanishes from the Web without a trace
The mysterious shutdown comes only days after the ransomware group’s massive Kaseya cyber attack hit at least 1,000 businesses
14 July 2021 | 0
The notorious ransomware gang REVil, also known as Sodinokibi, has disappeared from the Internet, with its entire Web presence rendered offline.
REvil has carved a reputation in recent years as being highly prolific, unafraid of targeting massive companies and demanding increasingly eye-watering sums of money following its attacks. The firm also licenses its malware in a form of ransomware-as-a-service (RaaS) operating model.
According to various security researchers, the group’s servers and its payment sites are down, while its public spokesperson, who goes by ‘Unknown’, hasn’t been active since last Thursday. It’s too early to tell how or why all traces of REvil has vanished, and researchers are urging caution as speculation runs rife.
The shutdown is particularly strange given the timing, with REvil only days ago launching a massive attack against Kaseya that is said to have affected 1,500 businesses, with the group demanding a $70 million ransom in exchange for providing the universal decryption key. REvil also recently targeted Apple, threatening to release hardware schematics, and last year claimed to have made $100 million from its activities.
“It would seem that everything is down for REvil (landing page, payment, ‘helpdesk’ chat),” said Exabeam’s chief security strategist, Steve Moore.
“This outage could be criminal maintenance, planned retirement, or, more likely, the result of an offensive response to the criminal enterprise – we don’t know.
In the absence of a definitive answer, speculation is rife on social media and within the cyber security community as to what might have caused this shutdown, with US-led enforcement action one of the prevailing theories. The operators behind the ransomware that targeted the US Colonial Pipeline, for instance, claimed they were targeted by law enforcement officials shortly after their major attack.
Other security specialists are speculating that it’s more likely to be hardware-related or even self-initiated. Ransomware and malware specialist Lawrence Abrams has suggested as much, claiming the disappearance could be part of a rebranding effort. He later added that LockBit ransomware representatives claim the authorities targeted one of REvil’s servers, which was subsequently wiped. REvil’s spokesperson, Unknown, was then also banned on the widely visited Russian-speaking hacking forum XSS.
Another cyber security expert, Kevin Beaumont, has claimed that such a disappearance isn’t too unusual, with different groups likely to have stability issues due to the way they operate. While it’s possible that law enforcement agencies targeted the group, it’s equally likely that REvil has had an internal falling out or hardware failure, he added.
In a later tweet, Beaumont reported that according to chatter on the Dark Web, REvil has performed an exit scam, and so has been purged from the Internet. In cyber crime terms, an exit scam involves a group ceasing operating for its clients, by claiming that their databases were seized, for example, before walking away with deposits and providing their clients with nothing in exchange.
One well-known exit scam involved Jokeroo ransomware in 2019, in which the RaaS site claimed their servers were seized by the Royal Thai Police (RTP) alongside Europol and the Dutch National Police (DNP). Researchers, at the time, reached out to all three agencies, with Europol denying it was involved in any operation, according to Binary Defence.
Steve Moore, from Exabeam, added that If the outage is the result of an offensive response, this then sends a message to these groups that they have a limited window in which to work.
“If a nation responds to criminals backed by and hosted in another country, this will change the definition of risk for affected private organisations,” he continued. “The question becomes, who is and isn’t ready to participate in this new theatre? If a nation engages in offensive ‘hack back’ operations, then to what degree should they defend private companies as well – which is arguably more valuable?”
© Dennis Publishing
Professional Development for IT professionals
The mission of the Irish Computer Society is to advance, promote and represent the interests of ICT professionals in Ireland. Membership of the ICS typically reduces courses by 20%. Find out more