REvil, the ransomware group behind the JBS meat supplier and massive July 4th Kaseya attacks, reportedly resurfaced over the U.S. Labor Day weekend.
Shortly after what is still considered the largest ransomware attack in history, the Russia-based REvil ransomware gang seemingly disappeared into thin air with media outlets reporting their infrastructure and websites going offline on July 12. These sites included the group’s negotiation and payment site, public forum and contact chat (if this sounds like a business website, it’s because it is in many aspects despite the illegal nature of the operations).
Many experts cited the fact all of their sites being shut down simultaneously was unusual and speculated the gang may have erased their servers due to a supposed government subpoena. Additionally, their XXS administrator banned a user known as “Unknown” from their hacking forum – a user which was believed to have been their public-facing representative of the gang. While there was a brief sigh of relief when their servers disappeared, this ended the ability for those negotiating for their data to contact the group.
Following the abrupt disappearance of their digital footprint, experts who were curious when the gang would resurface did not have to wait long as associated dark web servers for their websites resurfacing over the U.S. Labor Day weekend, including the Happy Blog. This site is where REvil publishes samples of stolen data before locking victims out of the networks and starting the ransomware negotiations. Another portal REvil uses to negotiate payment was also reactivated, although no new activity has been reported.
So why has REvil seemingly reappeared and what’s next?
First, there were very few who thought the gang had disbanded permanently. With a string of high profile victims including U.S. meat supplier JBS, Apple manufacturer Quanta and the now infamous July 4th Kaseya ransomware attack, REvil was one of the top targets of the Biden Administration, who promised to shut down their servers if the Russian government would not act. There was never an official statement from either side, but many speculated that either the White House had delivered on their promise or REvil went into hiding with all of the heat on them.
Another possible explanation is that they were simply on vacation No, really. Like those of us in the workforce, ransomware groups are known to slow down during the summer months and focus on “getting back to work” in the fall and holiday season. Alternatively, there are some that think the sites being reactivated are actually being controlled by law enforcement or the reactivation is simply an accident – this are best case scenario in many views for obvious reasons.
If the servers being activated again are not law enforcement or accidental, the re-emergence of their online presence is plenty cause for alarm based on their track record and a developing story to monitor moving forward.
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.