Ransomware threat group REvil vanished from the internet last week, leaving the security community with little more than theories as to where it might have gone.
REvil's disappearance comes shortly after the group took credit for a high-profile attack against remote IT monitoring software provider Kaseya. The organization is also associated with the recent attack against meat supplier JBS USA, which paid a ransom worth $11 million in bitcoin.
Despite the disappearance, hacking groups never completely go away. Their absences are more akin to hibernation, allowing threat actors downtime to hide from law enforcement scrutiny or to iterate on new malware strains. For companies, this means hacking groups pose omnipresent threats. At best, a disappearance offers respite.
In intelligence, "I don't think we necessarily always close the book on a lot of these groups until we actually hear something like, you know, all 50 members were arrested and they sinkholed every single domain and everything they got," said Sean Nikkel, senior cyber threat intelligence analyst at Digital Shadows.
For a group to really be gone, a clear conclusion is required, Nikkel said.
While there is no official account on what happened to REvil, security experts pointed to a number of plausible scenarios:
- The group is rebranding and will reemerge
- REvil is disbanding and its affiliates will find other groups.
- Law enforcement disrupted its operations
- The organization is experiencing technical difficulties
- A rival group hacked REvil's site
It is not uncommon for ransomware attackers to go dark for a period of time and reemerge, in some cases using the same ransomware family, said Jen Miller-Osborn, deputy director of threat intelligence, Unit 42, Palo Alto Networks. In some cases, groups will have a new version of the ransomware family with similar affiliates.
Groups do this a number of times, especially when they're attracting attention, as is the case with REvil, according to Miller-Osborn. Widespread attention puts them on law enforcement's radar, which is bad for business.
REvil, also known as Sodinokibi, has rebranded before, according to Palo Alto Networks' Unit 42 research. The group emerged in April 2019, but likely developed by the creators of GandCrab, a ransomware group that emerged in January 2018.
When groups rebrand, security researchers track the same affiliates using the new ransomware family if the old one was retired, Miller-Osborn said.
But groups often don't effectively rebrand. "There's not a whole lot of effort put into it," she said. "It'll be the same graphics, the same kind of font size, the same feel, but they'll just switch out a new name."
It's about the money
There's motivation for a hacking group to return: money.
Ransomware groups run like a business, a far cry from when individual contributors created malware and sent it out, said Bruce Snell, global VP, security strategy and transformation at NTT Security.
"This whole ransomware-as-a-service model, it's almost kind of reinventing the arms race," Snell said. Groups put thought into commission rates for affiliates and some even have training modules to show how to distribute it, building communities to further distribute ransomware schemes.
Marketing matters, too. "There's value in the name, brand and the recognition," he said.
To date, REvil/Sodinokibi has received at least $12.1 million from ransoms this year, second only to Conti, which has earned at least $12.7 million, according to the open, crowdsourced ransomware payment tracker Ransomwhere.
Companies are also willing to pay. In 2020, the average ransom organization paid was $312,493, almost triple 2019's payments of $115,123, according to Unit 42 research. The highest ransom paid last year was $10 million, but attackers are asking even more.
The financial opportunities from criminal gangs stem from the ransom and what's known as the double extortion. Groups will encrypt an organization's files, exfiltrate data and threaten to disclose it if demands aren't met, providing additional avenues for making money.
"They're doing that because a lot of companies have gotten to the point where they have good traditional responses to ransomware, which was to have the backups, so they wouldn't have to pay the ransom," Miller-Osborn said.
REvil is known for making large ransom demands, but as an enterprising business, it will negotiate with victims to lower payments, Unit42 found. It's largest demand to date was Kaseya's $70 million ransom, which it lowered to $50 million.
Money keeps these groups coming back, Nikkel said. Groups spread several million-dollar paydays among affiliates.
Everyone's going to make some money, and if you're an individual contributor, "you're at least getting a new Range Rover in the driveway," Nikkel said.
How to sink a group — for good
Hacking groups are akin to a hydra; you cut one head off and another will return.
Disrupting operations for good would take a coordinated law enforcement operation. Such a move was seen this year when an international group of authorities took control of EMOTET malware's infrastructure.
There was also a coordinated effort to takedown the Trickbot botnet last year, but Bitfender researchers have since found an increase in Trickbot activity.
Disrupting the ransomware groups goes beyond discussions between heads of state; it requires coordination between the private sector, international governments and law enforcement.
"This is a global problem, it's done and executed at a global scale," Miller-Osborn said. "And that's really the scope of what's needed working together and being able to work together quickly to start having real world effects on this."
The coordination will align more resources than infrastructure takedowns, which do little to stop the people behind the activity.
The National Security Agency or Cybersecurity and Infrastructure Security Agency declined to comment. The Department of Justice did not respond by publication time.