Russia’s most aggressive ransomware group disappeared. It’s unclear who disabled them.
Just days after President Joe Biden demanded that President Vladimir Putin of Russia shut down ransomware groups attacking American targets, the most aggressive of the groups suddenly went offline early Tuesday.
The mystery is who made it happen.
The group, called REvil, short for “Ransomware evil,” has been identified by U.S. intelligence agencies as responsible for the attack on one of America’s largest beef producers, JBS. Two weeks after Biden and Putin met in Geneva last month, REvil took credit for a hack that affected thousands of businesses around the world over the July 4 holiday.
That latest attack led to Biden’s ultimatum in a phone call Friday to the Russian president. Later, Biden said that “we expect them to act,” and when asked by a reporter later if he would take down the group’s servers if Putin did not, the president simply said, “Yes.”
He may have done exactly that.
But that is only one possible explanation for what happened around 1 a.m. Eastern time Tuesday, when the group’s sites on the dark web suddenly disappeared.
Gone was the publicly available “happy blog” the group maintained, listing some of its victims and the group’s earnings from its digital extortion schemes. Internet security groups said the custom-made sites — think of them as virtual conference rooms — where victims negotiated with REvil over how much ransom they would pay to get their data unlocked also disappeared. So did the infrastructure for making payments.
While the disappearance of the hackers’ online presence was celebrated by many who see ransomware as a new scourge — one Biden has called a critical national security threat — it left some of the group’s targets in the lurch, unable to pay the ransom to get their data back and get their businesses running again.
“What’s the plan for the victims?” asked Kurtis Minder, CEO of GroupSense, a digital risk protection company that was negotiating with the extortionists on behalf of a law firm whose data was locked up.
There were three main theories about why REvil — which seemed to revel in the publicity and reaped huge ransoms, including $11 million from JBS — suddenly disappeared.
One is that Biden ordered the U.S. Cyber Command, working with domestic law enforcement agencies, including the FBI, to bring the group’s sites down. Cyber Command proved last year that it could do just that, paralyzing a ransomware group it feared might turn its skills to freezing up voter registrations or other election data in the 2020 election.
The second theory is that Putin ordered the group’s sites taken down. If so, that would be a gesture toward heeding Biden’s warning, which he had also conveyed, in more general terms, when the two leaders met June 16 in Geneva. And it would come just a day or two before a U.S.-Russia working group on the issue, set up during the Geneva meeting, is supposed to hold a virtual meeting.
A third theory is that REvil decided that the heat was too intense, and took the sites down itself to avoid becoming caught in the crossfire between the U.S. and Russian presidents. That is what another Russian-based group, DarkSide, did after the ransomware attack on Colonial Pipeline, the U.S. company that in May had to shut down the pipeline that provides gasoline and jet fuel to much of the East Coast after its computer network was breached.
But many experts think that DarkSide’s going-out-of-business move was nothing but digital theater, and that all of the group’s key ransomware talent will reassemble under a different name. If so, the same could happen with REvil, which Recorded Future, a Massachusetts cybersecurity firm, estimates has been responsible for roughly one-quarter of all the sophisticated ransomware attacks on Western targets.
Allan Liska, a senior intelligence analyst at Recorded Future, said that if REvil has disappeared, he doubted it was voluntary. “If anything, these guys are braggadocios,” Lisca said. “And we didn’t see any notes, any bragging. It sure feels like they abandoned everything under pressure.”
There were suggestions that the pressure may have come from Russia. The commander of U.S. Cyber Command and director of the National Security Agency, Gen. Paul Nakasone, was not expected to get the full options for U.S. action against ransomware actors until later this week, several officials said. And there was no evidence that REvil’s sites had been “seized” by a court order, which the Justice Department frequently posts.
Cyber Command declined to comment.
While shutting REvil for now would give Putin and Biden a chance to show they were confronting the problem, it could also give the ransomware actors an opportunity to walk away with their winnings. The big losers would be the companies and towns that do not get their encryption keys, and are locked out of their data, perhaps forever. (Often when ransomware groups disband, they publish their decryption keys. That did not happen Tuesday.)
Biden is expected to roll out a ransomware strategy in coming weeks, making the case that Colonial Pipeline and other recent attacks show how crippling critical infrastructure constitutes a major national security threat.
“And it’s also why we’re elevating ransomware in our engagements with Russia,” said Secretary of State Antony Blinken. “Our message is clear: Countries that harbor cybercriminals have a responsibility to take action. If they don’t, we will.”
The plan is expected to be full of incentives for companies and local governments to improve their basic defenses. For example, insurance companies that write cyberinsurance policies, which pay victims of attacks, could insist that customers meet higher security standards before the policies are issued.
But Biden, having repeatedly warned that he will strike back at Russian “bad actors” who threaten American security, may also soon have to demonstrate that he plans on enforcing his red line — if not against REvil, then against its successors and competitors.
“This is a problem for Biden because in cyber, there’s a temptation to be stealthy and send your message in a very quiet, targeted way, but now, having made the threat, he has to say to the American public and the world, ‘This is what we did,’ ” said Paul Rosenzweig, a scholar at the free market advocacy group R Street Institute and a member of the American Bar Association’s Cybersecurity Legal Task Force.
“And some of the most important effects are very hard to do in public,” he added, because they can risk revealing American capabilities.
In an article in Lawfare published just before REvil’s unexplained disappearance, Jack Goldsmith, a Harvard law professor who writes frequently on cybersecurity issues, got at a central problem: While the United States has threatened Russia with “consequences” for both state-sponsored attacks and criminal ransomware, the penalties have been light.
“This talk has persisted even as adverse cyberoperations have grown more frequent and damaging,” he wrote. “It is ineffective and, in the aggregate, self-defeating.”
So it was unsurprising that just as REvil closed down, or at least took a holiday, SolarWinds, the company at the center of a highly sophisticated hack that became public during Biden’s presidential transition, announced that it had been hacked anew.
The new incident did not appear anywhere near as far-reaching as the original SolarWinds intrusion, which U.S. intelligence says was the work of the SVR, Russia’s most savvy spying agency. It was unclear if Russia was part of the second hack, too.
But it was only a few months ago that Biden placed sanctions on Russian officials and agencies for the damage done by the first SolarWinds hack, which got into network management software that the company sells to government agencies and most major companies in the United States. Once inside the updates to that software, the SVR had access to vast troves of government and corporate data. It chose only about 150 targets out of nearly 18,000 that downloaded the software.