REvil, Hacking Group Behind Major Ransomware Attack, Disappears

• July 13, 2021

Just days aft President Biden demanded that President Vladimir V. Putin of Russia unopen down ransomware groups attacking American targets, the astir assertive of the groups abruptly went off-line aboriginal Tuesday.

The enigma is who made it happen.

The group, called REvil, abbreviated for “Ransomware evil,” has been identified by U.S. quality agencies arsenic liable for the attack connected 1 of America’s largest beef producers, JBS. Two weeks aft Mr. Biden and Mr. Putin met successful Geneva past month, REvil took recognition for a hack that affected thousands of businesses astir the satellite implicit the July 4 holiday.

That latest onslaught led to Mr. Biden’s ultimatum successful a telephone telephone connected Friday to the Russian president. Later, Mr. Biden said that “we expect them to act,” and erstwhile asked by a newsman aboriginal if helium would instrumentality down the group’s servers if Mr. Putin did not, the president simply said, “Yes.”

He whitethorn person done precisely that.

But that is lone 1 imaginable mentation for what happened astir 1 a.m. Eastern clip connected Tuesday, erstwhile the group’s sites connected the acheronian web abruptly disappeared.

Gone was the publically disposable “happy blog” the radical maintained, listing immoderate of its victims and the group’s net from its integer extortion schemes. Internet information groups said the custom-made sites — deliberation of them arsenic virtual league rooms — wherever victims negotiated with REvil implicit however overmuch ransom they would wage to get their information unlocked besides disappeared. So did the infrastructure for making payments.

While the disappearance of the hackers’ online beingness was celebrated by galore who spot ransomware arsenic a caller scourge — 1 Mr. Biden has called a captious nationalist information menace — it near immoderate of the group’s targets successful the lurch, incapable to wage the ransom to get their information backmost and get their businesses moving again.

“What’s the program for the victims?” asked Kurtis Minder, the main enforcement of GroupSense, a integer hazard extortion institution that was negotiating with the extortionists connected behalf of a instrumentality steadfast whose information was locked up.

There were 3 main theories astir wherefore REvil — which seemed to revel successful the publicity and reaped immense ransoms, including $11 cardinal from JBS — abruptly disappeared.

One is that Mr. Biden ordered the United States Cyber Command, moving with home instrumentality enforcement agencies, including the F.B.I., to bring the group’s sites down. Cyber Command proved past twelvemonth that it could bash conscionable that, paralyzing a ransomware radical it feared mightiness crook its skills to freezing up elector registrations oregon different predetermination information successful the 2020 election.

The 2nd mentation is that Mr. Putin ordered the group’s sites taken down. If so, that would beryllium a motion toward heeding Mr. Biden’s warning, which helium had besides conveyed, successful much wide terms, erstwhile the 2 leaders met connected June 16 successful Geneva. And it would travel conscionable a time oregon 2 earlier a U.S.-Russia moving radical connected the issue, acceptable up during the Geneva meeting, is expected to clasp a virtual meeting.

A 3rd mentation is that REvil decided that the vigor was excessively intense, and took the sites down itself to debar becoming caught successful the crossfire betwixt the American and Russian presidents. That is what different Russian-based group, DarkSide, did aft the ransomware onslaught connected Colonial Pipeline, the U.S. institution that successful May had to unopen down the pipeline that provides gasoline and pitchy substance to overmuch of the East Coast aft its machine web was breached.

But galore experts deliberation that DarkSide’s going-out-of-business determination was thing but integer theater, and that each of the group’s cardinal ransomware endowment volition reassemble nether a antithetic name. If so, the aforesaid could hap with REvil, which Recorded Future, a Massachusetts cybersecurity firm, estimates has been liable for astir a 4th of each the blase ransomware attacks connected Western targets. .

Allan Liska, a elder quality expert astatine Recorded Future, said that if REvil has disappeared, helium doubted it was voluntary. “If anything, these guys are braggadocios,” Mr. Liska said. “And we didn’t spot immoderate notes, immoderate bragging. It definite feels similar they abandoned everything nether pressure.”

There were suggestions that the unit whitethorn person travel from Russia. The commandant of United States Cyber Command and manager of the National Security Agency, Gen. Paul M. Nakasone, was not expected to get the afloat options for U.S. enactment against ransomware actors until aboriginal this week, respective officials said. And determination was nary grounds that REvil’s sites had been “seized” by a tribunal order, which the Justice Department often posts.

Cyber Command declined to comment.

While shutting REvil for present would springiness Mr. Putin and Mr. Biden a accidental to amusement they were confronting the problem, it could besides springiness the ransomware actors an accidental to locomotion distant with their winnings. The large losers would beryllium the companies and towns that bash not get their encryption keys, and are locked retired of their data, possibly forever. (Often erstwhile ransomware groups disband, they people their decryption keys. That did not hap connected Tuesday.)

Mr. Biden is expected to rotation retired a ransomware strategy successful coming weeks, making the lawsuit that Colonial Pipeline and different caller attacks amusement however crippling captious infrastructure constitutes a large nationalist information threat.

“And it’s besides wherefore we’re elevating ransomware successful our engagements with Russia,” said Secretary of State Antony J. Blinken. “Our connection is clear: Countries that harbor cybercriminals person a work to instrumentality action. If they don’t, we will.”

The program is expected to beryllium afloat of incentives for companies and section governments to amended their basal defenses. For example, security companies that constitute cyberinsurance policies, which wage victims of attacks, could importune that customers conscionable higher information standards earlier the policies are issued.

But Mr. Biden, having repeatedly warned that helium volition onslaught backmost astatine Russian “bad actors” who endanger American security, whitethorn besides soon person to show that helium plans connected enforcing his reddish enactment — if not against REvil, past against its successors and competitors.

“This is simply a occupation for Biden due to the fact that successful cyber, there’s a temptation to beryllium stealthy and nonstop your connection successful a precise quiet, targeted way, but now, having made the threat, helium has to accidental to the American nationalist and the world, ‘This is what we did,’” said Paul Rosenzweig, a student astatine the escaped marketplace advocacy radical R Street Institute and a subordinate of the American Bar Association’s Cybersecurity Legal Task Force.

“And immoderate of the astir important effects are precise hard to bash successful public,” helium added, due to the fact that they tin hazard revealing American capabilities.

In an nonfiction successful Lawfare published conscionable earlier REvil’s unexplained disappearance, Jack Goldsmith, a Harvard instrumentality prof who writes often connected cybersecurity issues, got astatine a cardinal problem: While the United States has threatened Russia with “consequences” for some state-sponsored attacks and transgression ransomware, the penalties truthful acold person been light.

“This speech has persisted adjacent arsenic adverse cyberoperations person grown much predominant and damaging,” helium wrote. “It is ineffective and, successful the aggregate, self-defeating.”

So it was unsurprising that conscionable arsenic REvil closed down, oregon astatine slightest took a holiday, SolarWinds, the institution astatine the halfway of a highly blase hack that became nationalist during Mr. Biden’s statesmanlike transition, announced that it had been hacked anew.

The caller incidental did not look anyplace adjacent arsenic far-reaching arsenic the archetypal SolarWinds intrusion, which U.S. quality says was the enactment of the S.V.R., Russia’s astir savvy spying agency. It was unclear if Russia was portion of the 2nd hack, too.

But it was lone a fewer months agone that Mr. Biden placed sanctions connected Russian officials and agencies for the harm done by the archetypal SolarWinds hack, which got into web absorption bundle that the institution sells to authorities agencies and astir large companies successful the United States. Once wrong the updates to that software, the S.V.R. had entree to immense troves of authorities and firm data. It chose lone astir 150 targets retired of astir 18,000 that downloaded the software.

Nicole Perlroth and Julian E. Barnes contributed reporting.