The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: There are three big theories about why a major ransomware gang disappeared online

with Aaron Schaffer

Cyber watchers are stuck with more questions than answers after the notorious REvil ransomware gang, which had become a locus of U.S.-Russia conflict, mysteriously dropped offline.

The disappearance came less than two weeks after the Russia-based criminal group took credit for the mammoth Kaseya attack, which locked up the information of up to 1,500 organizations over the Fourth of July weekend, Ellen Nakashima, Rachel Lerman and Gerrit De Vynck report. The attack prompted President Biden to pledge the United States will take “any necessary action” to defend U.S. infrastructure.

U.S. officials also blamed REvil for a May attack on the meat processor JBS that threatened U.S. meat supplies.

Researchers are mulling three main possibilities for the criminal gang’s disappearance — each of which carries good and bad news for U.S. efforts to combat the ransomware scourge emanating from Russia.  

  1. The Kremlin bent under U.S. pressure and forced REvil to close up shop.
  2. U.S. officials tired of waiting for Kremlin cooperation and launched a cyber operation that took REvil offline.
  3. REvil’s operators were feeling the heat and decided to lay low for awhile.

The bottom line for all those scenarios: It’s a positive development if REvil is shutting down, but that’s no guarantee another ransomware gang won’t launch attacks just as damaging.

“We’re facing an uphill battle here because there’s a tremendous amount of money in the game that attracts criminals like flies,” John Hultquist, vice president of intelligence analysis for the cybersecurity firm FireEye, told me. “As long as there’s an opportunity for criminals to make tens of millions of dollars it’s going to be really hard to make this go away.”

The best-case scenario is that Russian President Vladimir forced REvil to shut down. 

Such a cooperative move from the’ most formidable U.S. cyber foe is unlikely but not outlandish. 

On the list of cyber operations that are most valuable to the Russian regime, spying on U.S. government agencies, politicians and critical companies is at the top. Allowing criminals to extort money from large and small U.S. businesses is far lower. 

The Biden administration also has been threatening severe consequences if Russia doesn’t rein in those criminal groups — which most experts say operate with at least the Kremlin’s tacit approval. 

Given all of that, Putin may have decided this wasn’t a fight worth engaging in

But forcing one gang out of business doesn’t mean Putin will clamp down on other ransomware gangs or prevent them from attacks that disable critical U.S. infrastructure. 

The question is: Is this a round-up-the-usual-suspects moment or something that will be more sustained,” Chris Painter, the State Department’s top cyber diplomat during the Obama administration, told me. 

Putin and Biden agreed to launch high-level talks on ransomware after a June summit. That group is meeting today.

If this was a U.S. hacking operation that forced REvil offline, that would send a strong message to the Kremlin. 

It would telegraph that if Russian officials don’t halt criminal hacking on their territory, the United States will do it for them. 

U.S. Cyber Command has launched operations to temporarily take offline Russian and Iranian government hacking operations, but has tread more lightly with criminal actors. 

It will probably take many more such operations before there’s a long-term reduction in ransomware attacks. 

None of this can be a one-off thing. This is not a light switch,” Painter said. “This is going to take a sustained effort over months and perhaps years.”

One positive development may be if ransomware gangs decide it’s easier to operate in a way that doesn’t draw too much U.S. attention so they're not also forced offline. 

“It may send a message to some of the players that they need to find a less-aggressive business model, which could mean avoiding critical infrastructure, or it could mean avoiding U.S. targets,” Hultquist said. 

The least consequential explanation would be if REvil simply shut itself down. 

Such groups are well known for disappearing for a time and then returning, often in a reconstituted form. 

A criminal group called Trickbot that the U.S. military and Microsoft effectively forced offline before the 2020 election has recently reemerged. A ransomware group called DarkSide dropped offline in May after it hacked Colonial Pipeline and prompted fears of gas shortages across the United States — but many analysts expect it’s not gone forever. 

And even if REvil doesn’t return, other ransomware gangs are sure to pop up in its place. 

“Even if this group was taken down there are others that can step in to fill the void,” Hultquist said. 

The keys

Thousands of Facebook employees allegedly improperly accessed users’ personal accounts.

Many of the engineers who improperly accessed the data used it to look up women they were interested in and, in some cases, tracked their locations, the New York Times’s Sheera Frenkel and Cecilia Kang write in an excerpt of their new book that was published by the Telegraph.

Facebook CEO Mark Zuckerberg was taken aback by the pervasiveness of the problem when then-chief security officer Alex Stamos described it to him in 2015.

“We've always had zero tolerance for abuse and have fired every single employee ever found to be improperly accessing data,” a representative told Insider. “Since 2015, we've continued to strengthen our employee training, abuse detection, and prevention protocols. We're also continuing to reduce the need for engineers to access some types of data as they work to build and support our services.”

New Chinese regulations would affect the country’s cybersecurity researchers.

Cybersecurity researchers would have to share with Beijing information about computer vulnerabilities they find and they wouldn’t be allowed to sell the information, the Associated Press’s Joe McDonald reports. The rules, which go into effect in September, also would bar information about vulnerabilities from being shared with “overseas organizations or individuals” with the exception of product manufacturers.

It appears to be part of a broader effort to exert regulatory control over Chinese companies' cybersecurity. Chinese regulators also have gone after companies seeking to sell stock shares overseas, telling them that they need to look closely at their data security practices. Beijing is scrutinizing the data security practices of Chinese ride-share giant Didi, which it reportedly warned against going public on the New York Stock Exchange.

Former Justice Department officials are clashing over baseless 2020 election fraud claims.

William McSwain, a former U.S. attorney for the Eastern District of Pennsylvania, appeared to blame former attorney general William P. Barr for not allowing him to fully look into and publicize election fraud cases, Devlin Barrett, Matt Zapotosky and Rosalind S. Helderman report

McSwain is jockeying for support from former president Donald Trump in a high-profile race for Pennsylvania governor.

Barr disputed the allegations. 

“Any suggestion that McSwain was told to stand down from investigating allegations of election fraud is false. It’s just false,” he said, noting that the claims “appeared to have been made to mollify President Trump to gain his support for McSwain’s planned run for governor.”

Government scan

Cybersecurity veteran Jen Easterly was sworn in as CISA director.

Easterly was sworn in less than 24 hours after the Senate unanimously confirmed her to lead the Cybersecurity and Infrastructure Security Agency. She said she was “incredibly honored and humbled” to join CISA. She’ll have to immediately work to defend U.S. systems from ransomware amid a surge in the attacks.

Easterly is the second-ever Senate-confirmed director of the three-year-old agency. Trump fired the first CISA director, Chris Krebs, for insisting with other government leaders that the 2020 election results were legitimate and not tarnished by foreign interference. The agency has plans to expand internationally but has faced challenges at home.

On the move

Former CISA official Rick Driggers joined Accenture Federal Services.

Driggers began working at the firm last week, he said in an exclusive interview with The Cybersecurity 202. He plans to focus on cybersecurity issues related to national security and securing vital U.S. industries as the firm’s critical infrastructure cyber lead.

At CISA, Driggers led the Integrated Operations Division, which works with private infrastructure and state and local governments. Accenture Federal Services is a subsidiary of consulting giant Accenture. CISA recently awarded the firm a $112 million contract to defend government systems and contain breaches.

Industry report

Hackers Move to Extort Gaming Giant EA (Vice)

Chip Shortage Has Spawned a Surplus of Fraudsters and Fake Parts (Wall Street Journal)

Global cyberspace

Malware-infected documents found on the Kazakhstan government's portal (The Record)

Dechert may face UK lawsuit over Indian hacking claim (Reuters)

Chat room

A professor who was impersonated by Iranian hackers spoke with Motherboard’s Lorenzo Franceschi-Bicchierai. He told Franceschi-Bicchierai that although the experience was stressful, “on the upside I had conversations with a lot of interesting people that I would probably not have had interaction with otherwise.” Jason Kichen, the director of security strategy and technical programs at Twitter:

Proofpoint’s Joshua Miller, who wrote a report on the hacks, and Proofpoint colleague Sherrod DeGrippo:

Privacy patch

The ugly, geeky war for web privacy is playing out in the W3C (Protocol)


  • President Biden nominated Deloitte consultant Alan Estevez, a former Pentagon official, to be the Commerce Department’s undersecretary for industry and security. Estevez would oversee the Bureau of Industry and Security, which works on export control and sanctions issues.


  • Estonian Prime Minister Kaja Kallas discusses international collaboration to secure digital infrastructure at an Atlantic Council event on Wednesday at 2 p.m.
  • The Senate Commerce Committee holds a hearing on supply chain resiliency on Thursday at 10:30 a.m.
  • The Internet Governance Forum USA conference hosts panels on supply chain security and securing the Internet of Things on Thursday at 10:30 a.m. and 12:15 p.m.
  • The House Homeland Security Committee holds a hearing on changes to the Department of Homeland Security to meet today’s threats on Thursday at noon.
  • The Senate Committee on Environment and Public Works holds a hearing on cybersecurity vulnerabilities in physical infrastructure on July 21 at 10 a.m.

Secure log off