CWA # 530
Cyber Security
REvil is dead. Long live REvil
|
Jeshil J Samuel
14 August 2021
|
Photo Source: Kapersky.com
Though REvil might be gone (for now), their legacy in the Ransomware-as-a-Service industry will undoubtedly live on.
On 13 June, cybercriminal group REvil disappeared from the internet. REvil’s official dark websites and services were shut down without any notice or message from the group. This perplexing shutdown came ten days after REvil had orchestrated one of the biggest ransomware attacks in history by infiltrating US-based IT firm Kaseya. The attack affected around 1500 companies in 17 countries.
On 22 June, IT firm Kaseya announced that they had received a universal decryption tool for the REvil ransomware from a third party. Though it is still unknown who the party is, there is a possibility of it being an affiliate of REvil who had access to the decryption tool. Cybersecurity firm Emsisoft confirmed that the decryption tool does decrypt data encrypted by the REvil ransomware. Kaseya and Emsisoft have joined hands to help victims who were unable to decrypt their data even after paying the ransom (due to the faulty decryption tool provided by REvil earlier).
The news on REvil’s exit has brought out two pertinent questions. What led to REvil’s sudden exit, and what are the evident changes in the Ransomware-as-a-Service industry with REvil gone?
Reasons for REvil’s exit
First, the possibility of a Russian crackdown. One of the most prominent theories is that Russia has decided to stop supporting cybercriminal groups like REvil after US President Joe Biden warned his Russian counterpart about ransomware attacks originating from Russia during the Geneva summit. President Biden’s warning of retaliatory cyber-attacks for any attack originating from Russia could have forced the Russian government to rethink its strategy in abetting ransomware groups. After the Kaseya attack, President Biden had even made a call to President Putin regarding the seriousness of the issue.
Second, the timely intervention of the FBI and Interpol. Both the FBI and Interpol have worked together in the past to bring down large cyber-crime groups, so a target like REvil would not be new to them. The strategy used by both law enforcement agencies has been effective in controlling cyber-attacks originating from Europe. Rather than going after all assets belonging to a ransomware group, these law enforcement agencies target their financial accounts or command and control servers, leaving the groups inoperable. If either one of these agencies has managed to catch an affiliate of REvil, then it is wiser for the group to quit before all its affiliates are pursued.
Third, the Avaddon strategy. Avaddon was a ransomware gang operating at the same scale as REvil..The gang decided to close their operations in June after having profited from the ransomware business. As they released their statement to leave the business, Avaddon also gave away the decryption tools for their ransomware for free. Although unlikely, REvil might be following Avaddon’s path. Owing to the JBS and Kaseya attacks, REvil are the most wanted group of cybercriminals in Europe. Thus, REvil would benefit from quietly stepping down from business.
Changes in the ransomware business
REvil has been one of the most successful and influential players in the ransomware business since its inception in 2019. In 2019 they accounted for nearly 10 per cent of all ransomware attacks globally, and in 2020 REvil operators announced that they had made USD 100 million from their ransomware-as-a-service business. They have also set the standard for large-scale ransomware attacks along with highly sophisticated ransomware creations. With the sudden departure of such a large player, we could see a few changes in the ransomware-as-a-service industry.
First, the rise of new ransomware groups. When large ransomware groups decide to shut down operations, they usually disintegrate and end up forming new groups. REvil itself is a good example of this. In 2018, when ransomware group GrandCrab decided to end their operations, they disintegrated themselves, which led to the formation of new groups like REvil and DarkSide. Therefore, REvil’s exit is guaranteed to bring new ransomware groups into the picture. REvil’s affiliates would eventually become the clientele for such new groups as well.
Second, a change in strategy. With the amount of international pressure put on REvil after the JBS and Kaseya attack, ransomware groups would surely be shifting their operations from Europe and North America to other parts of the world, such as Asia and Oceania. Ransomware groups would target small and medium-sized businesses more frequently than massive industries to keep a low profile. They are also to most likely not accommodate their affiliates targeting critical infrastructures or supply chains in developed countries though the pay-outs would be high.
Third, the closing gap between the law and cybercriminals. On 15 July, the US Department of State announced a USD 10 million reward to anyone who would be willing to give information on cybercriminals targeting critical infrastructures. Bounties are incentives towards stopping ransomware groups with a large number of affiliates who look for higher pay-outs. Law enforcement agencies in Europe and the US have become more robust and cooperative in tackling such threats. Lawmakers around the world have also acknowledged the need for tighter rules and regulations in cyberspace. All these countermeasures, along with the exit of REvil, could push a few prominent ransomware groups into retirement. If Russia did indeed withdraw support for cybercriminals, then the golden age of ransomware gangs from Russia might come to an end.
REvil’s exit might be a ploy to trick law enforcement agencies. Still, with the rising pressure on ransomware gangs, there would not be a favourable environment for them to operate if they decide to return. REvil’s exit would also leave a power vacuum in the ransomware business that many would compete to fill. However, it is worth noting that REvil revolutionized the ransomware industry, and though they might be gone, their ideas will continue to dominate the industry.
