The peculiar disappearance of REvil ransomware hackers

The hacking crew behind damaging attacks on meat supplier JBS and customers of tech provider Kaseya has gone dark.
20 July 2021

The peculiar disappearance of REvil ransomware hackers. (Photo by Mikhail METZEL / SPUTNIK / AFP)

  • Cybersecurity researchers report that the entirety of the group’s infrastructure, from extortion pages to servers, has gone offline. 
  • The disappearance occurred amid growing pressure between the US and Russia over cyber-crime.

Just days after President Biden demanded that President Vladimir V. Putin of Russia shut down ransomware groups attacking American targets, the ransomware gang that attacked meat supplier JBS Foods this spring and a major IT software vendor this month — REvil — went offline. No one really knew what happened.

REvil, short for “Ransomware evil,” has been identified by US intelligence agencies as responsible for the attack on one of America’s largest beef producers, JBS. Two weeks after Biden and Putin met in Geneva last month, REvil took credit for a hack that affected thousands of businesses around the world over the July 4 holiday. 

The reasons for REvil’s disappearance were not immediately clear but experts reckon that ransomware groups have been known to disband when the heat is on and take an extended break, only to reform and reappear under another name — something that REvil has done in the past. Or it could just be Biden’s warning towards Putin, his Russian counterpart. He emphasised to Putin that there would be consequences if Moscow failed to address the ransomware attacks emanating from within its borders.

In a similar recent case, the DarkSide ransomware hackers disappeared from the web not long after its malware was used in the huge hack of Colonial Pipeline, which led to the shutdown of gas lines across the east coast of the US. In that case, some of the funds handed over in the US$4 million ransom, paid in Bitcoin, were recovered by the Justice Department.

Outside of the hack of JBS, which led to an US$11 million payment, REvil claimed a big scalp in an attack that exploited an unpatched “zero-day” vulnerability in tech made by Kaseya. By targeting that one tool, it managed to hack into many Kaseya customers, locking up files at as many as 1,500 separate businesses. Its ransom demand for that attack, and the release of the key to unlock files at all affected companies, was as high as US$70 million, though it went down to US$50 million. It’s unclear if any payment was made.

Beyond those two incidents, REvil in recent months also claimed hacks of renewable energy supplier Invenergy, PC maker Acer and Apple supplier Quanta Computer. According to data from cybersecurity firm Check Point, it saw 15 attacks carried out by REvil per week over the last two months.

Cybersecurity firm Clavister’s CEO John Vestberg told Tech HQ, “Although it is unclear the exact reason why REvil ransomware websites have gone offline, it is a positive step in the fight against these cybercriminal gangs. That said, it is only a matter of time before another ransomware incident takes place. The attack on Kaseya was the latest in a line of incidents that have caused wide-spread havoc – from the Colonial Pipeline to the JBS food production plant in the US.”

In particular, he said Critical National Infrastructure, such as oil and gas, is a prime target for ransomware gangs – systems are underpinned by a myriad of complex information and operational technology devices and so the consequences if these are infiltrated can be devastating. “Going after organisations with huge supply chains and customer bases provides the opportunity for wide-ranging effects which makes those impacted more likely to pay up, either individually or collectively,” John added.