Wild Speculations Amid REvil Ransomware Group's Disappearance From the Dark Web

REvil ransomware group has gone completely offline and raised questions among experts looking to analyze the reasons behind the widely-reported outage

Wild Speculations Amid REvil Ransomware Group's Disappearance From the Dark Web

 

The REvil ransomware group, which described by cybersecurity analysts as the most prolific ransomware-as-a-service in 2020, has disappeared from the internet.

The gang, which was blamed for the recent high profile JBS and Kaseya ransomware attacks, has reportedly gone offline. Apart from extortion pages and servers going offline, researchers discovered that the REvil’s dark web advertisement pages had been shut since last week.

It is worth noting that REvil, also referred to as Sodinokibi, had been linked to the creators of GandCrab malware in 2018. The threat actors affiliated with GandCrab had focused their activities on attacking healthcare organizations, which included the medical billing provider Doctor’s Management Service.

GandCrab would later announce that they were hanging their hacking boots in 2019, after having made a whopping $2 billion in ransom payments in a one-year operational period.

Soon after, following REvil ransomware’s appearance in a number of extortion schemes, investigators discovered striking similarities between the two gangs. In fact, they asserted their confidence in the notion that REvil ransomware group had been created by former GandCrab members.

Until recently, REvil acted as an entity that sold hacking tools and other cyber wares to third party cybercriminals. The dark web acted as a focal point where adverts would be posted and ransomware payments with victims would be negotiated.

What Could Have Happened?

Cybersecurity experts have not gained clarity about what exactly may have influenced REvil’s disappearance from the internet. Various theories have been raised in attempts to rationalize how one of the world’s most devastating ransomware groups may have decided to go offline.

On one part, the possibility of a permanent exist is difficult to ignore, considering that the group had never taken every aspect of its operation offline since its entry in 2019.

A section of cyber analysts opine that REvil’s action may have been decided in response to the U.S. President Biden administration’s warning of a more aggressive assault against cybercriminal activities.

According to media reports, President Biden has challenged Russian leader Vladimir Putin to make a commitment to fight globally-positioned cybercriminal groups operating within Russian borders.

The Putin government has, for a long time, been blamed for being lenient on Russian-based threat actors as long as they don’t target domestic firms and agencies. In fact, a number of reports have raised suspicions on the Russian government’s involvement behind some of the most brazen cyberattacks targeting U.S. federal agencies in the recent past.

Indeed, REvil is among the cybercriminal formations that have enjoyed Russian leniency – the ransomware group has orchestrated several massive cyberattacks against high-tier establishments linked to critical U.S. infrastructure.

Nonetheless, cybersecurity experts have considered that the ransomware group’s decision may be a tactical move to reconfigure its operational strategy. The possibility is reflected on past events in which cybercriminal groups have suspended their activities in the wake of significant media and law enforcement attention – the groups would later reappear after a rebranding process that would help avoid detection.

Analysts have also noted that REvil ransomware is a commodity that may be rented out to other threat actors. According to Egnyte’s cybersecurity expert Neil Jones, this means that REvil’s potency should not be underestimated following their disappearance from the dark web.

While speaking to CPO Magazine, the “cybersecurity evangelist” warned organizations against letting their guards down. Failure to maintain robust cybersecurity fences would potentially expose the businesses to a likely and quick comeback of the ransomware.

At this point, although it may be too early to fathom the actual circumstances behind REvil’s outage, public and private sector actors must unite in securing business environments accordingly – relevant authorities should invest in more cybersecurity solutions.

 

The REvil ransomware group, which described by cybersecurity analysts as the most prolific ransomware-as-a-service in 2020, has disappeared from the internet.

The gang, which was blamed for the recent high profile JBS and Kaseya ransomware attacks, has reportedly gone offline. Apart from extortion pages and servers going offline, researchers discovered that the REvil’s dark web advertisement pages had been shut since last week.

It is worth noting that REvil, also referred to as Sodinokibi, had been linked to the creators of GandCrab malware in 2018. The threat actors affiliated with GandCrab had focused their activities on attacking healthcare organizations, which included the medical billing provider Doctor’s Management Service.

GandCrab would later announce that they were hanging their hacking boots in 2019, after having made a whopping $2 billion in ransom payments in a one-year operational period.

Soon after, following REvil ransomware’s appearance in a number of extortion schemes, investigators discovered striking similarities between the two gangs. In fact, they asserted their confidence in the notion that REvil ransomware group had been created by former GandCrab members.

Until recently, REvil acted as an entity that sold hacking tools and other cyber wares to third party cybercriminals. The dark web acted as a focal point where adverts would be posted and ransomware payments with victims would be negotiated.

What Could Have Happened?

Cybersecurity experts have not gained clarity about what exactly may have influenced REvil’s disappearance from the internet. Various theories have been raised in attempts to rationalize how one of the world’s most devastating ransomware groups may have decided to go offline.

On one part, the possibility of a permanent exist is difficult to ignore, considering that the group had never taken every aspect of its operation offline since its entry in 2019.

A section of cyber analysts opine that REvil’s action may have been decided in response to the U.S. President Biden administration’s warning of a more aggressive assault against cybercriminal activities.

According to media reports, President Biden has challenged Russian leader Vladimir Putin to make a commitment to fight globally-positioned cybercriminal groups operating within Russian borders.

The Putin government has, for a long time, been blamed for being lenient on Russian-based threat actors as long as they don’t target domestic firms and agencies. In fact, a number of reports have raised suspicions on the Russian government’s involvement behind some of the most brazen cyberattacks targeting U.S. federal agencies in the recent past.

Indeed, REvil is among the cybercriminal formations that have enjoyed Russian leniency – the ransomware group has orchestrated several massive cyberattacks against high-tier establishments linked to critical U.S. infrastructure.

Nonetheless, cybersecurity experts have considered that the ransomware group’s decision may be a tactical move to reconfigure its operational strategy. The possibility is reflected on past events in which cybercriminal groups have suspended their activities in the wake of significant media and law enforcement attention – the groups would later reappear after a rebranding process that would help avoid detection.

Analysts have also noted that REvil ransomware is a commodity that may be rented out to other threat actors. According to Egnyte’s cybersecurity expert Neil Jones, this means that REvil’s potency should not be underestimated following their disappearance from the dark web.

While speaking to CPO Magazine, the “cybersecurity evangelist” warned organizations against letting their guards down. Failure to maintain robust cybersecurity fences would potentially expose the businesses to a likely and quick comeback of the ransomware.

At this point, although it may be too early to fathom the actual circumstances behind REvil’s outage, public and private sector actors must unite in securing business environments accordingly – relevant authorities should invest in more cybersecurity solutions.