A notorious Russian hacker group allegedly responsible for major ransomware attacks in the US, has suddenly gone offline, presumably after America’s President Joe Biden had a talk with President Vladimir V. Putin of Russia about these activities.
The group, called REvil, short for “Ransomware evil,” has been identified by US intelligence agencies as responsible for the attack on JBS, America’s largest beef producer. And most recently, it attacked thousands of small and medium business services using a cloud service platform.
The latest attack led to a telephonic conversation between the two leaders where President Biden reiterated that the threat needed to be tackled. He later said at a press conference that the US would take down the group’s servers if it does not happen.
The mystery here is whether the Russians complied or did the US just shut down the servers? Around 1 a.m. Eastern time on Tuesday, the group’s sites on the dark web suddenly disappeared. The blog where the group listed its victims and its earnings from the extortions all disappeared. Security analysts said the special custom sites maintained by REvil for negotiating ransoms with the affected parties have also disappeared. So did the infrastructure for making payments.
REvil has raked in millions in ransomware. The disappearance of the groups is certainly something to be celebrated, but many victims have been left in the lurch. Their sites and data are still compromised as they were in negotiations with the hackers. “What’s the plan for the victims?” asked Kurtis Minder, the chief executive of GroupSense, a digital risk protection company that was negotiating with the extortionists on behalf of a law firm whose data was locked up.
Most likely, the US security agencies, including the FBI, the United States Cyber Command, and some other agencies, took down the group’s sites. Cyber Command had done that during the 2020 US elections when it was feared that voters’ data might be compromised.
Additionally, it might be that President Putin ordered the site to be taken down. That would be acceding to the US president’s request during the June 16 Geneva meeting and a further phone call.
And it has come just a day before a US-Russian working committee set up to discuss the matter was supposed to virtual meet.
And lastly, maybe REvil decided to shut down the site following the immense pressure brought on by the two governments. Earlier, another hackers’ group, DarkSide, that attacked the Colonial Pipeline in the US, also was taken down.
Many experts think that the DarkSide and Revel closing business is just an eyewash or temporary, and both the groups will rebound after a suitable gap.
Recorded Future, a Massachusetts cybersecurity firm, estimates REvil has been responsible for roughly a quarter of all the sophisticated ransomware attacks on Western targets.
Allan Liska, a senior intelligence analyst at Recorded Future, said that if REvil has disappeared, it is doubtful it happened voluntarily. He says such groups like to brag about their conquests. “And we didn’t see any notes, any bragging. It sure feels like they abandoned everything under pressure,” he added.
Most likely, the group was forced to shut shop by the Russians as the US Cyber Command was slated to take action this week. But the greatest losers are the companies and other affected people who have yet to get their encryption keys and data access back from REvil. The hackers themselves have walked away with some millions.
The US government is rolling out a ransomware strategy to prevent attacks that can cripple infrastructure and compromise the nation’s security. “And it’s also why we’re elevating ransomware in our engagements with Russia,” said Secretary of State Antony J. Blinken. “Our message is clear: Countries that harbor cybercriminals have a responsibility to take action. If they don’t, we will.”
What remains to be seen is how strict the US government is going to get with the perpetrators. For the time being, the problem has been barely tackled, but it will not go away. It is bound to re-emerge in another nefarious avatar.
Along with stricter norms against cyberattacks, and better cyber securities deployed by the companies, a stricter punishment regime has to be worked out, which sends out a message that the attacked countries mean business.