The ransomware attacks on Colonial Pipeline and JBS hammered home the point that ransomware attacks are a national security issue that threatens the lives of all Americans, rather than simply attacks on U.S. businesses. Following the attacks, the White House announced that additional steps would be taken to deal with the ransomware threat and disrupt the activities of ransomware groups, with additional resources made available to target the gangs and the status of the attacks raised to a similar level to counterterrorism.
Following the Colonial Pipeline attack which saw DarkSide ransomware encrypt its systems, the operation went dark and the ransomware-as-a-service operation shut down, with many security experts believing the group rebranded as BlackMatter. The notorious REvil ransomware operation also had its infrastructure shut down in July, with both its payment site and data leak site going dark shortly after conducting attacks on JBS and Kaseya. At the time it was unclear whether the group had decided to lay low due to the increased heat on cyber extortion operations or if it had been part of a law enforcement takedown. Now it appears that the latter was the case.
According to Reuters, the shutdown of the infrastructure and subsequent outages have been due to a coordinated effort by law enforcement agencies in several countries which are hitting back at ransomware gangs. REvil (Sodinokibi) was top of the list, being one of the most prolific ransomware threat groups since it emerged as an offshoot of the GandCrab ransomware operation in April 2019.
The Colonial Pipeline attack has now been tied to REvil. REvil associates are believed to have developed the ransomware variant, which was used by the REvil gang in the attack. After the initial shutdown of the REvil infrastructure, the leader of the gang – who had the moniker “unknown” – disappeared and has not been seen since online. The takedown of the infrastructure was reportedly carried out by a foreign partner of the U.S. government, which was able to hack into its systems. The operation against the gang is reportedly ongoing.
The REvil infrastructure was partially resurrected by a member of the gang with the moniker “0 neday;” however, last weekend the operation was shut down once again. According to a post on a cybercrime forum, “the server had been hacked, and they were on the lookout for me. They removed the route of my secret service from the torrc file and replaced it with their own, causing me to go there. I double-checked with others, and this was not the case,” wrote 0 neday. Good luck to everyone; I’m leaving now.”
The attempt to restore the infrastructure from backups did not prove successful. “The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised,” Oleg Skulkin, deputy head of the forensics lab of Russian cybersecurity company Group-IB, told Reuters. “Ironically, the gang’s own favorite tactic of compromising the backups was turned against them.”
Since the takedown, other ransomware gangs have responded in a show of solidarity for their REvil counterparts, with a member of the Conti ransomware gang posting on Pastebin suggesting the United States is fair game due to its foreign policies, with the Groove gang issuing a call for revenge against the United States, calling for the cyber extortionist community to step up attacks in the United States.
While the takedown of REvil is certainly good news, it is unlikely that the affiliates working for the gang will stop their attacks. They are likely to either move to another RaaS operation or simply change tactics and turn to other methods to profit from their skills and while the REvil ransomware operation has been shut down, it may only be temporary. The group may simply reemerge with a new ransomware variant and RaaS operation.
However, with law enforcement operations underway to target the cryptocurrencies that the gangs use for their ransom payments, it may prove to be much harder for the gangs to profit. Time will tell if the takedown has any impact on the volume of ransomware attacks being conducted in the U.S.