Websites on the dark web associated with ransomware gang REvil disappeared on July 13, according to analysts. It is not immediately clear who is responsible for the takedowns.
REvil is the ransomware-as-a-service group, based in Russia, behind the Kaseya and JBS USA ransomware attacks. The attack on JBS USA came with a ransom request of $11 million, while the wide-ranging Kaseya attack asked for an exorbitant $70 million ransom. While JBS USA conceded and paid the ransom, there has been no reported ransom paid by Kaseya, who restored its operations earlier today.
“This outage could be criminal maintenance, planned retirement, or, more likely, the result of an offensive response to the criminal enterprise – we don’t know,” Steve Moore, Exabeam chief security strategist said in a statement to MeriTalk.
“If the outage is the result of an offensive response, this then sends a new message to these groups that they have a limited window in which to work,” Moore said. “Furthermore, if a nation responds to criminals backed by and hosted in another country, this will change the definition of risk for affected private organizations.”
While it is currently unknown if the takedown is a result of American or Russian action, the move comes just days after President Biden pledged to take action against Russia-based ransomware actors if Russian President Vladimir Putin did not. There is no confirmation that Biden or American cyber forces are responsible for the takedown.
“I made it very clear to [Putin] that the United States expects when a ransomware operation is coming from his soil, even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is,” President Biden told reporters July 9.
Biden and Putin met again last week, and Biden announced July 9 that a working group – featuring national security members from both countries – will meet again on July 16.
While the REvil outage can be viewed as a positive development, experts continue to call for caution for businesses as well.
“When malware infrastructure goes offline – even temporarily – that’s obviously good news for businesses,” Neil Jones, Engyte cybersecurity evangelist, told MeriTalk. “However, I would encourage organizations not to let their guards down, and to continue with the proven detection and mitigation strategies that have gotten them through the recent ransomware crisis.”
“Realistically, new ransomware infrastructure can be brought online quickly, so we all need to remain vigilant,” Jones continued. “While it’s too early to determine the cause of the sites’ outages, continual steps must be taken to thwart ransomware groups, and the public and private sectors must come together at the highest levels to challenge multi-million dollar cyber-criminal gangs.”