Just days soon after President Biden demanded that Russian President Putin shut down ransomware groups, the servers of a person of the biggest teams mysteriously went dark.
All of REvil’s Dark Web web pages slipped offline as of early Tuesday morning, and it is not obvious no matter whether it’s due to the ransomware gang getting busted or whether or not the threat actors did it on intent.
The REvil ransomware operation, a.k.a. Sodinokibi, works by using both crystal clear web and Dark Web sites to negotiate ransoms, leak data, guidance its backend infrastructure and receive payment from its lots of victimized businesses. That victims checklist has just lately developed with the addition of Kaseya and its a lot of managed company supplier (MSP) buyers, as effectively as the world wide meat provider JBS Foods,
All of REvil’s sites went offline as of all-around 1 a.m. It doesn’t indicate that the infamous gang has been shut down, as a person cybersecurity professional emphasized – it’s just that all its web-sites were unreachable, up right up until at the very least Tuesday at 2:55 p.m. EDT.
A single likelihood: It could be that the U.S. shut down the servers. Then yet again, potentially it was the Russian govt. The timing would make sense, provided the White House’s saber-rattling at Russia about the ransomware plague. The silenced servers occur just a number of times following President Biden termed President Vladimir V. Putin of Russia and demanded that he shut down ransomware teams attacking American targets.
If you really do not, we will, Biden stated. On Friday, when a pool of reporters requested the president if the U.S. might attack the servers that Russia-joined cybercriminals have used to hijack American networks, he reported, “Yes.”
Ransomware Gangs Are ‘on Borrowed Time’
Jake Williams, co-founder and CTO at BreachQuest, advised Threatpost that it’s all just speculation at this level, but ransomware gangs functioning in Russia “were on borrowed time the next Colonial was hit.” He was referring to the ransomware attack on Colonial Pipeline leading up to Memorial Day Weekend: An attack that was attributed to the ransomware-as-a-company (RaaS) participant DarkSide.
“The Russian authorities did not care about the cybercrime happening inside of its borders, but only so long as it didn’t influence Russia by itself,” Williams mentioned in an email. “That has evidently adjusted – the Russian govt can clearly see they are remaining impacted by the steps of these actors. Regardless of whether REvil was taken out of fee by the Russian authorities, saw the producing on the wall and took infrastructure down, is basically rebranding like so many groups have (probably like REvil alone), or a thing else, is unfamiliar at this stage.”
Theories abound. Drew Schmitt, principal danger intelligence analyst for GuidePoint Security, echoed Williams’ assertion that the darkened servers could be attributed to a amount of things at this level.
“A lack of DNS reaction is a opportunity indicator of regulation enforcement involvement, but it’s not plenty of to determine whether the threat group changed their URL, is performing routine maintenance, or anything very similar,” he explained to Threatpost on Tuesday by way of email.
“An unresolved DNS reaction more than a brief period of time is not necessarily a sturdy indicator with out correlating evidence, statements, and so forth.,” he expounded. “It could be a limited outage, however, we would require far more time and evidence to tell what really may well be likely on.”
This is not the to start with time, at any fee: Very last week, REvil’s internet site went down for a brief whilst, according to Schmitt.
It could be that REvil chose to fade away, or it could be that its servers were seized a la DarkSide. In the DarkSide server shutdown, the menace actor posted on an underground forum that it experienced shed obtain to the community aspect of its infrastructure: Particularly, the servers for its weblog, payment processing and denial-of-provider (DoS) functions had been seized.
The Tor Project’s Al Smith told BleepingComputer that the “Onionsite Not Found” concept could necessarily mean a couple of factors: “In straightforward terms, this error usually usually means that the onion web site is offline or disabled. To know for positive, you’d need to speak to the onion web page administrator,” he was quoted as stating.
The websites have not too long ago been active. But as of Tuesday afternoon, site visitors were remaining greeted with messages indicating that “A server with the specified hostname could not be identified.”
A ‘Planned’ Takedown
A different cybersecurity qualified, John Hultquist of Mandiant Risk Intelligence, informed CNBC that it appears to be like this was an intentional, orderly takedown, even though we really don’t know but who’s guiding it: “The circumstance is nevertheless unfolding, but evidence indicates REvil has endured a prepared, concurrent takedown of their infrastructure, possibly by the operators themselves or via marketplace or legislation enforcement motion,” he stated.
REvil’s Generally Up and Buzzing
At any rate, the inaccessibility of the REvil ransomware group’s sites is uncommon, according to the Photon analysis staff at Electronic Shadows. The staff advised Threatpost that REvil’s infrastructure “has traditionally been more stable than that of other ransomware teams.”
They advised that the outage could be triggered by momentary technological issues or updates, or it could signify a law-enforcement disruption of the group’s functions. But they did take note that as of Tuesday, REvil’s representatives “have not appeared on high-profile Russian-language cybercriminal forums for quite a few days.”
This Is Possible Not REvil’s Previous Hurrah
The Photon crew extra that, even though chatter about the outage is confined due to some Russian-language forums’ “hostile angle in direction of talking about ransomware,” some threat actors have speculated that even if law-enforcement companies have effectively qualified REvil, it won’t spell the conclude of the group’s actions. Some menace actors predicted that the group will reappear beneath one more name or split into scaled-down teams to attract much less focus, the staff reported by using email.
In the meantime, the ripples of ransomware attacks by the likes of REvil can unfold for months. That was evidenced by an attack on the Guess vogue label that compromised the individual and banking information of 1,300 victims. That knowledge spill came immediately after a February ransomware attack inflicted on Guess and attributed to DarkSide.
Guess has started out sending letters to 1,300 workforce and contractors who had their own and banking facts exposed all through the breach.
But Hurray Nonetheless?
No matter of whether it is a everlasting shutdown or a non permanent shut-up, REvil’s darkened servers are bring about for celebration, some claimed.
Katie Nickels, director of intelligence for Red Canary, commented on Twitter: “I never know what this usually means, but irrespective, I’m content! If it’s a govt takedown – magnificent, they are getting motion. If the actors voluntarily went quiet – outstanding, perhaps they’re worried.”
Does it subject either way? Nickels thinks not: “It’s however important to try to remember that this does not remedy ransomware.”
Look at out our no cost future stay and on-need webinar events – one of a kind, dynamic conversations with cybersecurity industry experts and the Threatpost community.
Some sections of this short article are sourced from: