Who disabled Russia’s most aggressive ransomware group?
Just days after President Joe Biden demanded Russian President Vladimir Putin shut down ransomware groups attacking American targets, the most aggressive of the groups suddenly went offline early Tuesday.
The mystery is who made it happen.
The group, called REvil, short for “Ransomware evil,” has been identified by U.S. intelligence agencies as responsible for the attack on one of America’s largest beef producers, JBS. Two weeks after Mr. Biden and Mr. Putin met in Geneva last month, REvil took credit for a hack that affected thousands of businesses around the world over the July Fourth holiday.
That latest attack led to Mr. Biden’s ultimatum in a phone call July 9 to the Russian president. Later, Mr. Biden said that “we expect them to act,” and when asked by a reporter later if he would take down the group’s servers if Mr. Putin did not, the president simply said, “Yes.”
He may have done exactly that.
But that is only one possible explanation for what happened around 1 a.m. Eastern time Tuesday, when the group’s sites on the dark web suddenly disappeared.
Gone was the publicly available “happy blog” the group maintained, listing some of its victims and the group’s earnings from its digital extortion schemes. Internet security groups said the custom-made sites — think of them as virtual conference rooms — where victims negotiated with REvil over how much ransom they would pay to get their data unlocked also disappeared. So did the infrastructure for making payments.
While the disappearance of the hackers’ online presence was celebrated by many who see ransomware as a new scourge — one Mr. Biden has called a critical national security threat — it left some of the group’s targets in the lurch, unable to pay the ransom to get their data back and get their businesses running again.
“What’s the plan for the victims?” asked Kurtis Minder, CEO Group Sense, a digital risk protection company that was negotiating with the extortionists on behalf of a law firm whose data was locked up.
There were three main theories about why REvil — which seemed to revel in the publicity and reaped huge ransoms — suddenly disappeared.
One is that Mr. Biden ordered the U.S. Cyber Command, working with domestic law enforcement agencies to bring the group’s sites down. Cyber Command proved last year that it could do just that, paralyzing a ransomware group it feared might turn its skills to freezing up voter registrations or other election data in the 2020 election.
The second theory is that Mr. Putin ordered the group’s sites taken down. If so, that would be a gesture toward heeding Mr. Biden’s warning when the two leaders met June 16 in Geneva. And it would come just a day or two before a U.S.-Russia working group on the issue, set up during the Geneva meeting, is supposed to hold a virtual meeting.
A third theory is that REvil decided that the heat was too intense, and took the sites down itself to avoid becoming of becoming caught in the crossfire between the U.S. and Russian presidents. That is what another Russian-based group, DarkSide, did after the ransomware attack on Colonial Pipeline, the U.S. company that in May had to shut down the pipeline that provides gasoline and jet fuel to much of the East Coast after its computer network was breached.
But many experts think that DarkSide’s going-out-of business move was digital theater, and that all of the group’s key ransomware talent will reassemble under a different name. If so, the same could happen with REvil, which Recorded Future, a Massachusetts cybersecurity firm, estimates has been responsible for roughly one-quarter of all the sophisticated ransomware attacks on Western targets.
There were suggestions that the pressure may have come from Russia. The commander of U.S. Cyber Command and director of the National Security Agency, Gen. Paul Nakasone, was not expected to get the full options for U.S. action against ransomware actors until later this week, several officials said. And there was no evidence that REvil’s sites had been “seized” by a court order, which the Justice Department frequently posts.
Cyber Command declined to comment.
While shutting REvil for now would give Mr. Putin and Mr. Biden a chance to show they were confronting the problem, it could also give the ransomware actors an opportunity to walk away with their winnings. The big losers would be the companies and towns that do not get their encryption keys, and are locked out of their data, perhaps forever.
Mr. Biden is expected to roll out a ransomware strategy in coming weeks, making the case that Colonial Pipeline and other recent attacks show how crippling critical infrastructure constitutes a major national security threat.
The plan is expected to be full of incentives for companies and local governments to improve their basic defenses. For example, insurance companies that write cyberinsurance policies, which pay victims of attacks, could insist that customers meet higher security standards before the policies are issued.