After REvil, Who Are the Next Cyber Saboteurs?

Cybercrime experts are asking whether REvil, the notorious group of Russian hackers responsible for million-dollar ransomware attacks worldwide, is really gone for good--or operating under a new name. A more interesting question: has the group's exposure motivated authorities to strengthen defenses against future attacks?

After REvil, Who Are the Next Cyber Saboteurs?

Photo by Fernando Amaro via Flickr

Are they gone for good or making a comeback under a new name?

Cybercrime experts are asking the question about REvil, the notorious group of Russian hackers responsible for million-dollar ransomware attacks worldwide.

A more interesting question:  has the group’s exposure helped authorities strengthen defenses against future attacks?

Two weeks ago, the cybercrooks appeared to have vanished from the Internet. Just days after President Joe Biden demanded that President Vladimir V. Putin of Russia shut down ransomware groups attacking American targets, this most aggressive of online groups suddenly went off-line.

If that seemed too good to be true, it probably was.

The BlackMatter ransomware gang, a new threat actor, has popped up and begun activity this week, and some experts say it combines elements of REvil and a group called Darkside.

CyberSecurity said in a post on Wednesday, “The birth of the BlackMatter ransomware was first spotted by researchers at Recorded Future who also reported that the gang is setting up a network of affiliates using ads posted on two cybercrime forums, such as Exploit and XSS.”

The group seems to be recruiting criminals with access to the networks of large enterprises with revenues of $100 million a year or larger, in an attempt to infect them with its ransomware, says CyberSecurity.

BlackMatter is reportedly looking for corporate networks in the US, the UK, Canada or Australia.

Meanwhile, the Senate Homeland Security Committee is preparing tough new legislation to combat ransomware attacks, The Washington Post reports. The proposed bill will be part of a new effort to crackdown on the use of crypto currency in ransomware attacks. “This is one of our top priorities,” Chairman Gary Peters (D-Mich)  said.

Estimates put REvil behind one-fourth of all the ransomware attacks in the Western world over the last year, says the New York Times.

According to the data presented by Atlas VPN, ransomware committed by various groups has already cost victims at least $45 million in 2021.

“Some of the ransom payments made this year are the largest ones we have seen yet,” notes Atlas VPN.

REvil had targeted large organizations, which enabled them to obtain enormous ransom payments. Their most well-known target was JBS, one of North America’s largest beef producers, allegedly wringing an $11 million ransom out of the conglomerate.

JBS was forced to shut down some of its food production sites on May 31st before paying the largest known cybercrime ransom.  The attack had threatened to disrupt the United State’s food supply chain and raise food prices for many American homes.

Yet REvil might not currently hold the number-one spot among cybercrooks for most damage done.  According to VPN, that title belongs to the extremely ruthless Conti ransomware group, who have reportedly extorted $13 million in 2021 alone.

That Russian-based group’s specialty is “double extortion ransomware,” which not only encrypts data but also threatens to leak it online.

Conti primarily targets organizations such as hospitals, 911 dispatch carriers and law enforcement agencies, causing life-threatening situations, according to VPN.

While the disappearance of REvil earlier this month may have struck some observers as nothing but good, it left stranded some companies that had seen their systems paralyzed by ransomware and had begun the negotiation process to free their computers, but REvil went dark before the companies could get back online.

These victims were left in purgatory, said John Hammond, senior security researcher at the cybersecurity firm Huntress, in an article published by Bloomberg.com.

Multiple recent victims were still waiting for REvil to help them restore access to their networks when the group went offline, Hammond said. They had either paid but were waiting for their decryption key when REvil went missing, or they very much wanted to pay, but there was no one on the other end of the line to receive the cash.

“People that were in that unfortunate situation, it just really sucks,” Hammond told Bloomberg.com. “They reached out to anyone who could help, but it’s tough because they all came up empty handed.”

Perhaps the best known recent victim was the Florida-based software vendor Kaseya, hit by a supply chain ransomware attack. According to Hacker News, the incident is believed to have infiltrated as many as 1,500 networks that relied on 60 managed service providers for IT maintenance and support using Kaseya’s VSA remote management product.

REvil claimed credit for the Kaseya attack but vanished before the networks were restored. Nonetheless, progress has been made.

“On July 21, Kaseya obtained a decryptor for victims of the REvil ransomware attack, and we’re working to remediate customers impacted by the incident,” the company said in a statement. “Kaseya obtained the tool from a third-party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor.”

It’s not immediately unclear if Kaseya paid any ransom or to whom.

According to The New York Times,  “Kaseya was working with the F.B.I., the Department of Homeland Security and the White House to address the issue.”

Experts not only disagree over whether REvil has come back into the world as BlackMatter but also whether it was pressure from the U.S. or Russian governments that made it vanish.

Richard A. Clarke, the former national coordinator for security and counter terrorism in the Clinton and Bush administration, suggests the uproar over REvil has actually accomplished some good.

“First, by attacking critical infrastructure that disrupted widespread activities in the US, the hackers caused the issue of cyberwarfare to hurtle to the top of [Joe]Biden’s agenda with [Vladimir] Putin,” Clarke wrote in an opinion piece for  the New York Daily News, entitled “Ransomware’s Silver Lining.”

Second, after the May cyberattack on Colonial Pipeline (believed to be perpetrated by the Russia-based DarkSide group), the Department of Homeland Security has issued mandatory regulations on pipelines, a step many experts have pleaded for, he observed.

Third, the insurance industry may now have to check to see if their customers are practicing effective security practices.

And fourth, “Some in the Biden administration and in the Congress, having been forced to think about Russia’s role in creating cyber threats (and China’s) are now asking themselves, ‘What else could they do to us in cyberspace?’ ”

Clarke wrote, “REvil, if you are actually gone, may the good you did live after you.”

Nancy Bilyeau is deputy editor of The Crime Report.