REvil Reemergence: Real, Fake or Rebranding?

May 16, 2022

• Are hacker gang disappearing and reappearing acts legitimate?
• REvil’s return after the Russian government’s alleged arrests of members in January isn’t a surprise, given the context of the Ukraine invasion.

Many companies have stared down cyber crime organizations like REvil, DarkSide and BlackMatter only to see them disappear overnight. Being attacked and having systems and terabytes of data held hostage and huge ransom demands for the keys to unlock the files – this is a company’s worst technology nightmare. It’s bad enough to be the victim of a ransomware attack, but what happens when a victim company has no bad guy to pay – and therefore no bad guy to provide a decryption key? What was the purpose of the attack?

In years of leading cyber investigations, I’ve seen ransomware gangs go dark for a number of reasons, including infighting; fear of law enforcement or the intelligence community; partner activity that threatens the organization; and heightened media attention. In some unique cases, government agencies have neutered gangs by infiltrating them and taking control of servers. These operations lead to law enforcement takedowns of the members, dismantling of the infrastructure and access to the decryption keys, which are used to unlock victims’ files.

In other cases, groups got scared and went dark out of fear they might be caught and criminally prosecuted. Finally, there are groups that simply don’t have the ability to follow through and decrypt the victim’s data; these gangs hope victims will pay before the ruse is discovered. Once the money is in their account, they disappear, leaving the victim with neither its cash or data.

The threat of getting caught, though, isn’t enough to scare off ambitious hackers. All too often, members of dismantled groups escape arrest and prosecution, joining up with others to form new gangs or striking out on their own to provide “crowd-sourced” hacking services for hire. They can also get the band back together – and in some cases do – starting up again under a different name.

Not long after launching a major supply chain attack in July 2021, REvil went dark. The group’s infrastructure, including its surface and DarkWeb portals (used for ransom negotiations and data leaks) were shut down on July 12. Before this, though, REvil was one of the most prolific, high-profile ransomware gangs in the world. (Their business model is unique: they typically rent code out in what is termed “Ransomware as-a-Service.”)

REvil’s vanishing act stands out because it was a shock, believed to be driven by the media and U.S. government actions taken as a result of the May 2021 Colonial Pipeline attack. But it was also unusual because there was no prior notice or statement on either the mainstream web or the DarkWeb. It also didn’t follow the lead of other defunct ransomware gangs and release a master decryption key before seeping into the ether.

What isn’t shocking to me is REvil’s reemergence after the Russian government’s alleged arrests of members in January. Assuming these actually occurred – not a safe assumption, by any means – it would be folly to believe that the hackers are still in custody given the Russian invasion of Ukraine, the imposition of economy-crushing sanctions by the United States and its Western allies, and the current geopolitical relationship between the U.S. and Russia. Furthermore, the lackluster history of law enforcement against cyber actors within Russia’s borders suggests that REvil’s reemergence and new look are directly tied to the war in Ukraine. As the Russian economy founders, the Russian state threat actors and their proxies – most notably REvil and Conti – will be using their ransomware tools to help fund the Russian regime and the war in Ukraine.

Unfortunately, ransomware continues to be profitable, coming at the expense of companies public and private, large and small, in every industry. Enterprises must understand the cyber threat environment and be truly honest about the vulnerabilities within their ecosystem; they must secure their data and ecosystems: and they must combine these internal actions with serious intelligence-based public and private partnerships.

Only then will ransomware groups cease to be a threat.