REvil, the ransomware designers who supplied the Kaseya, JBS, and HX5 hackers their wares, has once again gone offline. Unlike their first disappearance over the summer, it appears this was the work of a disruptive force.
The REvil group is an affiliate program that allows customers to install predesigned ransomware and use a prominent leaks site in exchange for a commission on ransoms paid. Its annals read like a soap opera. After REvil ransomware leveraged a vulnerability in Kaseya to infect managed service providers and their customers this summer, REvil took down its infrastructure in July in an apparent bid to let growing heat on ransomware operators die down. Since then, the whereabouts of REvil founder UNKN ("unknown") are unknown. He broke all contact with criminal forums and coworkers. In September, other members of REvil re-relaunched the service without him.
Now, the service and its leaks blog are down once again.
According to forum posts, someone with knowledge of the ransomware service's private keys started to shut down the servers and hijack its darknet web address. A founder on the forum denies it was him and that the only other person supposed to have access would have been UNKN.
The REvil relaunch since September has been fraught with problems, notes Allan Liska, a ransomware expert with Recorded Future. By shutting down so abruptly in July that they failed to pay some clients, they lost some goodwill with their customers. They lost more credibility as one of the rumors about UNKN guessed he had been captured by either the Russian or American governments and forced to change sides. Yet more credibility was lost when clients began to post about an alleged secret REvil backdoor the group could use to usurp its clients and take over negotiations, and still more credibility when the Washington Post reported the FBI had obtained the encryption keys from REvil around the time of the Kaseya attacks by hacking their servers.
"That they were offering up to 90% of the payment to affiliates, which is extremely unusual for a ransomware broker," said Liska.
There are two main theories as to the disruption of REvil. As Liska put it, one could be an instance of "bad guys doing bad-guy things to each other." Maybe UNKN wanted his product back, a competitor got petty, or a criminal saw a shortcut to an empire.
The other theory is that a governmental group has intervened in REvil's affairs. Over the past year, global law enforcement has been more active in taking down infrastructure. Gen. Paul Nakasone, head of Cyber Command, promised a "surge" against ransomware and criminal groups as they become a national security issue.
Dmitri Alperovich, founder of the Silverado Policy Institute and, before that, Crowdstrike, a prominent advocate of using offensive government capabilities in cyberdefense, told SC Media he believed the takedown was likely related to the FBI's earlier intrusion.
If so, he said, that could be a critical move forward in cybersecurity policy.
"These types of campaigns are critically important to execute not just to collect intelligence on these groups and attribute them for the purposes of indictments, but also to enable disruptive operations that can slow down the pace of attacks," he said.
Though the takedown disrupts REvil's current machinations, ransomware groups have a history of rebranding and reemerging.
From a marketing perspective, that might actually help the beleaguered REvil brand, said Liska. Dark Side affiliates flocked to the BlackMatter brand when it launched, despite the groups being the same.
Whether the intrusion came from UNKN or the federal government, there may be an information security lesson everyone can learn from REvil. They relaunched the site using infrastructure that either the FBI or a retired user might still have access to.
"Relaunching with exactly the same site was a bad idea," said Liska.
