O REvil (or Sodinokibi), one of the groups of ransomware most active and dangerous of today, disappeared. Or seems to have disappeared: the various pages the gang kept on the dark web stopped working on Tuesday (13). It is unclear, however, whether REvil has decided to cease its activities or whether the shutdown of its sites was an action led by authorities.
Both possibilities are plausible for the same reason: REvil is in evidence. The group has been attacking large companies and, as a result, has been attracting the attention of authorities, especially in the United States.
By default, ransomware is designed for a single purpose: to encrypt the target’s data and charge them a ransom for releasing a decryption key. It’s like a kidnapping, but digital.
A notable example is the case of JBS, which was attacked by REvil in May 2021 and, days later, acknowledged having paid an $11 million ransom to the group.
Security experts and authorities strongly recommend that ransom payments never be made. The problem is that too many attacks leave the organization trapped. The gangs even threaten to divulge sensitive victim data to increase pressure to pay the ransom.
This approach is used a lot by REvil. To prove that it is in possession of sensitive data, the group often post samples of the victim’s files or documents on dark web sites. Or used to: as you already know, these pages are offline.
In addition to releasing samples, REvil used the pages to negotiate ransoms, claim attacks, or effectively leak data. But today, any attempt to access these sites fails. It can happen that one or the other is inaccessible from time to time, but all at the same time? Suspicion of intentional closure is strong.
Hypotheses for closing sites
The newspaper The New York Times raised three possibilities for the disappearance of REvil sites: operation conducted by an American agency, such as the FBI; closure by order of President Vladimir Putin — supposedly, REvil is of Russian origin —; and closure by determination of the group itself.
The first hypothesis is based on the American government’s concern about the growing role of ransomware groups. REvil’s recent attack on IT company Kaseya, which affected hundreds of companies, may have been the last straw for US officials.
This would also explain a reaction from the Russian government. It is possible that the Putin administration acted to counter the complaints of the president of the United States that Russia does not collaborate to mitigate cyber attacks originating from its territory.
In a recent statement, Joe Biden said he made it clear to Putin that the United States could act on its own if the Russian government fails to act when ransomware attacks are carried out from within his country.
Finally, disabling the REvil infrastructure may have been voluntary. A representative of another group, LockBit, posted on a hacker’s forum that REvil had shut down its servers for fear of alleged Russian government action.
Such a decision would not be unprecedented. It is not uncommon for ransomware groups to cease their activities and disperse after noticing an approaching authorities. That’s what happened with another dangerous group, the DarkSide.
There is an extra hypothesis: that REvil simply took a break to get out of the spotlight.
REvil has “affiliates”
Even if the disappearance of REvil is confirmed, it is not possible to maintain an atmosphere of “the danger is over”. This and other groups follow the model of Ransomware as a Service, that is, they provide ransomware for “affiliated” hackers to carry out attacks in exchange for paying commissions.
This means that REvil may appear in the form of other groups, as well as its affiliates may resort to other ransomware. REvil itself would have emerged like this: apparently, the group was formed after the closing of the GandCrab gang, in 2019.
With information: BleepingComputer.