In July 2021, the well-known REvil (Sodinokibi) ransomware gang seemed to have stopped operations, as its Tor payment website and data leak blog instantly went offline. The DarkSide ransomware operation likewise became quiet. A lot of security specialists thought that the gang was laying low with its ransomware-as-a-service (RaaS) operations or that law enforcement took down its infrastructure. A few of the servers the REvil gang used were restored on the web momentarily however were taken down once more in the middle of October. This momentary resurrection was believed to be the attempt of an affiliate to carry on the operation.
The clear shutdown of the REvil operation was after two big attacks — on the food manufacturing business JBS and the software management firm Kaseya. Affiliates of the REvil gang had created the DarkSide ransomware variant. It was the ransomware used in attacking Colonial Pipeline, which prompted the one-week shutdown of its fuel pipeline to the Eastern seaboard of the U.S. Although ransomware had constantly presented a risk to critical infrastructure, these ransomware attacks clearly show that critical infrastructure wasn’t off-limits for ransomware gangs.
Following the attacks, the White House ordered to make more resources available to take care of the threat of ransomware, as the attacks were raised to a level equivalent to terrorism. President Biden had a meeting with Russian President Vladimir Putin and exhorted him to do something against ransomware groups within its region, while the United States continues to work with cybersecurity experts to talk about other cybersecurity projects to offset the danger. At the beginning of this month, President Biden stated that the U.S. would be taking part in a meeting of over 30 countries’ leaders to fight ransomware.
Law Enforcement Targeted REvil Operation
A recent Reuters report states that it is now clear that the breakdown of the REvil operation was the outcome of the initiatives of international law enforcement. The VMWare’s head of cybersecurity strategy and advisor to the US Secret Service, Tom Kellerman, said that the FBI, the Secret Service,
the Cyber Command, and like-minded nations, have carried out major disruptive measures against the ransomware groups.
in 2019, REvil sprang from the GandCrab ransomware operation and quickly grew to be the most active ransomware group, being responsible for 73% of the 2021 Q2 ransomware attacks. In July, prior to the REvil gang going dark, law enforcement acquired access to a few of its system infrastructure and servers. Kellerman confirmed that law enforcement had held back attacks on a number of organizations. Copying the tactics of the REvil gang, law enforcement likewise breached its backups. The REvil gang tried to recover its servers using backups, but law enforcement had control of the restored infrastructure. “0_neday,” a leader of the REvil operation, recently shared on a cybercrime forum about the compromise of its servers.
The breakdown pretty much surely ends the REvil operation; nevertheless, when takedowns happen, it is typical for ransomware groups to just rebrand and begin a fresh operation. The affiliates of the RaaS operations usually just sign up with another RaaS operation, thus although REvil was a big operator, it doesn’t mean the end of ransomware attacks. Following the news of the takedown, other ransomware gang members posted on the internet showing unification with the REvil operation. A Groove operation member called upon other ransomware groups to react to the breakdown and conduct more targeted attacks in the United States.