On July 2, 2021, the IT management software developer Kaseya Ltd. learned its VSA (Virtual System Administrator) was victim of one of the largest ransomware attacks in history. The Kaseya VSA is a common remote monitoring and management software used by MSPs (Managed Service Providers) to manage their clients’ systems. Though Kaseya stated that fewer than 60 of its customers were directly breached, many of Kaseya’s customers provide IT services to other businesses, leading to an estimated 800 and 1,500 downstream companies across the world being impacted.
This supply chain ransomware attack was carried out by the REvil ransomware gang, which claimed to have encrypted more than one million systems and demanded $50 million in ransom for a universal decryptor. REvil is an infamous Russia-based cybercrime syndicate responsible for several recent notable attack campaigns, including the recent ransomware attacks against Quanta Computer, Sol Oriens, Acer, and JBS. Operating under a ransomware-as-a-service (RaaS) model, REvil ranks first among most common ransomware variants with 14.2% of the total market share.
In addition to the ransomware attack on Colonial Pipeline by Russia-based group DarkSide, as well as the series of Russian state-sponsored cyber attacks — such as the latest APT 29 attack against Synnex and the RNC — Russia has come under a lot of heat for the malicious cyber activity emanating from the country.
It is speculated that cybercriminal groups operating out of Russia, like DarkSide and REvil, are actually composed of members of Russian state-sponsored APTs (advanced persistent threats) moonlighting to make a profit on the side. It’s well-known that Russia permits its hackers to conduct their own cyberattacks, just as long as those attacks stay targeted toward the West. Reverse engineering reveals that both DarkSide's and REvil’s malware are configured to scan system language settings to ensure certain languages are not installed to avoid encrypting systems located in former Soviet Bloc countries.
What remains unknown is whether the Russian government is simply giving tacit approval for these ransomware attacks or if it is actively pulling the strings.
Following the worldwide condemnation the Russian government faced for the SVR’s SolarWinds supply chain attack (and the sanctions imposed by the U.S.), Russia appears to be avoiding the consequences of direct attribution. It’s possible that in exchange for allowing criminal groups like REvil to continue operations and draw in profit, the Kremlin may be requiring these organizations to relay important information and insights that could be used for national security purposes. Such insights could include finding weaknesses in U.S. (and global) supply chains, like REvil easily found in the zero-day vulnerability existent in Kaseya’s VSA software.
Russia may also be using large ransomware attacks to distract from more covert state-operated cyberattacks. Russia and Putin are benefitting in a number of ways from the time and energy that authorities have been forced to dedicate to ransomware. A widespread supply chain attack against Kaseya could have been strategically positioned to divert attention and allow Russian government hackers to go after valuable intelligence targets, like Synnex and the RNC. In the future, this “chaos as a cover” tactic by Russia is something to watch out for following large-scale ransomware attacks.
On July 12th, cybersecurity researchers noticed the websites and infrastructure used by REvil had mysteriously gone offline. REvil maintains a Tor network infrastructure on the dark web that includes one data leak site and 22 data hosting websites. The several darknet and clearnet REvil sites that the group uses to leak data, negotiate ransom, and support its infrastructure are now inaccessible and display an error message that reads “Onionsite Not Found,” meaning the sites are offline or disabled. Moreover, REvil’s clearweb payment website, decoder[.]re, is now not resolvable by DNS queries, which could indicate that the DNS records for decoder[.]re have been removed or that the DNS infrastructure on the backend has been shut down.
Well, no one really knows for sure why REvil went offline. But here are some theories:
It was an offensive response by U.S.-led law enforcement
It is possible that law enforcement — likely led by the U.S. — was able to seize and shut down REvil’s infrastructure, similar to what happened in relation to DarkSide. Some even speculate that policing efforts could have forced REvil to shut down its infrastructure to protect itself and its members.
LockBit ransomware representatives posted to the Russian-speaking XSS hacking forum that according to unconfirmed information, REvil server infrastructure received a government legal request that forced it to entirely erase server infrastructure and go underground. Shortly after, the XSS admin banned ‘Unknown’ (REvil’s public representative) from the forum. This is not entirely unusual as top forums often ban users as a rule of thumb when they suspect them to be under the control of law enforcement.
However, I believe this shutdown was not directly caused by law enforcement. If law enforcement were behind this, it is likely they would publicize it as a deterrent to other ransomware groups. If the FBI does a legal takedown — such as they did when they dismantled the infrastructure of Emotet malware in February 2021 — they typically publish press releases announcing the operations, and if applicable, put up a notice on the cybercriminal website with something along the lines of “This site has been seized by the FBI in relation to criminal activity.”
Since we have not heard anything that definitively points to government intervention, I am led to theorize that this was a REvil-initiated shutdown. And there are a couple reasons why REvil would choose to take down its infrastructure:
The Russian Government told it to lay low.
With President Biden doubling down on his warnings made at the Biden-Putin summit in June and threatening to take active measures unless Russia addresses the ransomware groups operating out of the country, it is possible that the Kremlin told REvil to shut down things for a bit. REvil’s ransomware operations brought a lot of direct heat onto the Russian government, and if Putin is involved (as mentioned earlier), he could have realized that REvil’s operations are bringing more consequences than benefits. The negative backlash from the international community possibly prompted the Kremlin to order REvil to halt operations and go underground.
REvil decided that it’s time to take a break and rebrand itself.
Over the past couple of months alone, REvil members have made millions off their ransomware attacks. With increasing pressure on the group — and ransomware in general — REvil may think it's time to let things cool off. The group may be taking downtime to hide from the close watch of law enforcement, but it is very unlikely that REvil is gone for good. Why? The success of the group’s operations and the large inflow of cash into their pockets is enough motivation to stage a comeback and work on new malware strains and variants.
The prediction of a comeback is supported by the evidence that REvil has already rebranded once before. In late May 2019, the GandCrab ransomware group announced its retirement after receiving a significant amount of attention from law enforcement and the cybersecurity industry. Experts believe that GrandCrab had already begun its rebranding efforts a month before announcing retirement behind a more exclusive ransomware operation — REvil. The similarities between REvil and Gandcrab, such as the TTPs they use to compromise enterprise targets, their affiliates that distribute the ransomware, and their code itself, lead the security industry to believe REvil is an evolution of GandCrab.
Holding 14.2% of the market share of all ransomware attacks, REvil’s absence leaves a power vacuum at the top of the food chain. Cybercriminal groups are like a hydra; you cut off one head and another (or multiple) will take its place. Only time will tell what we will see fill this gap left by REvil. Whether it be another major ransomware gang like Conti or LockBit [PDF], a rebrand of REvil itself, or an entirely new group on the scene, we’re not entirely sure.
Truth is, ransomware is a complicated ecosystem. Governments have been known to hide espionage attempts behind the facade of ransomware attacks, such as with the infamous NotPetya malware, which is a Russian state-sponsored malware designed to look like ransomware. It’s possible the Russian government has been the puppetmaster behind these recent large-scale ransomware attacks, allowing its hackers to make money while collecting information on targets of interest.
If the Kremlin was trying to avoid direct attribution and escalation by leveraging the robust industry of Russian individuals hacking into Western systems, I think it has now realized that this is no longer a viable strategy. The convergence of government strategy with cybercriminal activity is a grey area that has not been fully explored yet, and the international community is deciding how to exactly deal with and counter it. The only thing we do know is that the world has not seen the end of large-scale, destructive ransomware attacks, and it is more important than ever to coordinate law enforcement and increase private-public collaboration to disrupt operations like these for good.