As the security community continues to question who was responsible for the sudden disappearance of the REvil ransomware gang, the threat actor’s current victims are left to pick up the pieces, now that the option to negotiate and pay is off the table.
While companies are advised by law enforcement not to cooperate with ransomware demands, payment sometimes remains the lesser of two bad outcomes. So, if this was a case of U.S. law enforcement authorities cracking down on REvil, then such actions came with collateral damage.
Of course, it’s also possible that Russia helped shut down the group’s operations in response to U.S. President Joe Biden’s demands for cooperation in the fight against ransomware. Or the actors may have decided to pull up stakes, at least for now, after feeling the heat following its high-profile supply chain attack on IT software company Kayesa and the users of its VSA remote monitoring product, as well as its infection of food processing company JBS. In the end, the results are the same: REvil’s resources, including its blog and payment sites, were taken offline.
Still, the question remains: Should law enforcement authorities take into consideration the fate of current victims before executing a takedown — or is it more important to take care of the bigger picture, which is eliminating the threat?
“This is actually a very good question that has no simple answer,” said Vladimir Kuskov, head of threat exploration at Kaspersky. “This is definitely something worth taking into consideration. On the other hand, [this] does not mean that a takedown is something that should be avoided. An ideal scenario would be to take down ransomware resources and extract and release the decryption keys.”
For Steve Moore, chief security strategist at Exabeam, the answer is clear-cut: the crackdown on the actor takes precedence.
“It's important to remember these are campaigns that, in this case, use a shared third-party platform to deploy unique ransomware software,” said Moore. “It's months of effort, design, and planning to, often in hours, compromise these victim environments. With this in mind, if offensive actions are taken, priority should be given to the removal of their infrastructure as to limit the opportunity to infect new victims.”
Brett Callow, threat analyst at Emsisoft, agreed, adding that from a law enforcement perspective, “I would suspect the primary objective is simply to disrupt the operation – which, while necessary, may nonetheless create problems for organizations that were planning to pay.” And commentary from Austin Berglas, global head of professional services at BlueVoyant, and former assistant special agent in charge of the FBI’s New York Office Cyber Branch, confirmed as much.
“A law enforcement takedown of a major ransomware group such as REvil would be considered a dismantlement,” said Berglas. “There is often collateral damage associated with major takedowns. In this instance, there would no doubt be current victims left in various stages of negotiation with the criminal group. Unfortunately, there is not much that law enforcement can do. However, one of the main goals of a takedown such as this would be to obtain the keys necessary for decryption and make them publicly available.”
For companies that do find themselves stranded in this situation, there may still be a small ray of hope, however.
“There is always a chance that decryption keys will be released in the future by REvil or someone else. Such things have happened before with Avaddon ransomware, for example,” noted Kuskov.
Beyond that, “there are undoubtedly fewer options for anyone who hasn't paid and recovered at this point,” said Moore. “If you have not done so already, you should contact law enforcement — ideally a group with which you already have a relationship, [like the] FBI or Secret Service. If this was a product of an offensive takedown, there might be an opportunity through them to obtain keys — however, this is a big stretch.”
“The only other pivot is manual recovery and a bolstering of SOC capabilities — often a laborious exercise and a hard lesson learned,” he added.
Any such manual recovery will likely rely heavily on backup copies, so it’s critical that they were regularly saved, maintained and protected.
“On a positive note, early reports indicate that backups may have only been deleted in a relatively small number of Kaseya-related incidents,” Callow noted.
John Martineau, principal consultant, Unit 42 at Palo Alto Networks, expanded on this advice: “Companies in the position of encryption without a means to decrypt should focus on preservation through imaging, copying off a virtual machine, or something similar in case there is a chance at a decryptor release or a forensic investigation is desired,” he stated.
“Finally, organizations should review their attack surface area to identify other vectors of potential future compromise and consider an XDR solution that would have signatures to potentially detect, prevent and alert to ransomware execution.”
As for REvil, companies should not be surprised if the threat actor resurfaces in the future under a new incarnation.
“We cannot exclude such a possibility that they will somehow return after some time under the same or different name and maybe with different ransomware strain,” said Kuskov. After all, REvil itself appeared after another gang, GandCrab, shut down its operations in 2019 — and there are connections between these two families.”
Moore’s prediction was particularly worrisome. “They undoubtedly [already] have their next software compromised — a technique that began in espionage and has now been borrowed for criminal activity; this campaign hasn't started yet.”
His advice to organizations: “Focus more on the missed intrusion and poor recovery options and less on ransomware. Ransomware is the product of being unable to detect and disrupt the cycle of compromise — period. Listen to your SOC and incident response teams and test your disaster recovery plans. Unfortunately, even those with good backups generally suffer from restoration failures. The data might exist, but it's slow to recover, and the infrastructure configurations are gone.”