The Washington PostDemocracy Dies in Darkness

Hacking group behind widespread ransomware attacks disappears online

REvil, thought to be based in Russia, vanished this week after being blamed for Kaseya hack

A photo illustration shows a screen displaying the Darkside Onionsite address with a notice saying it could not be found. (Olivier Douliery/AFP/Getty Images)
Placeholder while article actions load

A cybercriminal group that took responsibility for a massive ransomware attack that affected hundreds of businesses this month has disappeared from sight online.

REvil, which is thought to be based in Russia, was not in its usual places on the “dark web” and the regular Internet on Tuesday. Many researchers have blamed the group for the huge hack that hit technology services provider Kaseya just hours before the beginning of the Fourth of July weekend.

That attack affected a software used by hundreds of businesses and locked up victims’ files so they could no longer access them. Organizations ranging from a grocery chain in Sweden to a school in New Zealand to small Maryland towns were racing to get their systems back online after the attack.

The anatomy of a ransomware attack

REvil’s sites went down early Tuesday, according to cyber analysts. The last known response from the group’s servers was around 1 a.m. Tuesday, said Allan Liska, a researcher with cybersecurity firm Recorded Future.

“Someone went in and removed the IP address” linked to the domain hosting the group’s sites, said Dmitri Alperovitch, president of the think tank Silverado Policy Accelerator and former chief technology officer of the cyber firm CrowdStrike.

The group’s blog is reachable on the dark web, a portion of the Internet that is not easily navigable by search engine, he said. But the more critical sites, which are used to negotiate with the group and receive decryption tools, are on the regular Internet, he said. All were down Tuesday.

The domain registrar is TLD Registrar Solutions, which is headquartered in London, Alperovitch said. Attempts to reach the firm Tuesday were not successful.

The reason behind the site outage is unclear. It could have been the result of a request by law enforcement — British, American or some other government — to the domain registrar. It could have been the group itself feeling pressured.

The servers do not appear to have been hacked, so this is unlikely to be an offensive cyber operation, Alperovitch said. He also said the fact that the domains were not fully seized made it doubtful that it was a law enforcement operation.

President Biden told Russian President Vladimir Putin last week that the United States will take “any necessary action” to defend U.S. infrastructure, according to the White House.

White House national security adviser Jake Sullivan said the administration would announce new measures on ransomware in the coming weeks, without specifying what those actions would be. Sullivan spoke at a national security and tech event in Washington on Tuesday.

In any case, the site, which is where ransomware victims communicate with the group, submit payments and receive decryption keys, is now unreachable, creating a dilemma for those whose systems are locked up.

REvil demanded ransoms ranging from $45,000 to $5 million from the victims in exchange for a computer key that would unlock their files and hand control back to the companies. Many victims have refused to pay the ransom, working instead to restore backups for their many computer systems.

But for some, paying a ransom may have been the only choice to regain years of stored data.

‘Shut down everything’: Global ransomware attack takes a small Maryland town offline

Kurtis Minder, founder of the cybersecurity service GroupSense, said many small businesses who had been hit in the Kaseya hack and were considering paying the ransom to REvil are now stuck. Minder, who helps companies negotiate ransoms with hackers, said the websites being down means they can no longer negotiate with REvil to unlock their computers.

It’s unclear why REvil’s sites are down, but the outage could have the side effect of prolonging the damage to some of the group’s most vulnerable targets, he said.

Another ransomware group, DarkSide, dropped offline in May after it hacked Colonial Pipeline, causing fear of gas shortages and panicked lines at fuel stations. The U.S. government did not take down the group, officials said, and cybersecurity experts warned that the hacking group might not really be gone for good.

REvil, one of the largest ransomware-as-a-service groups operating today, first appeared in April 2019 and is thought to be an evolution of earlier hacking group GandCrab.

“We don’t know if they were directly involved with GandCrab, an affiliate that took over the code, or someone who straight up stole it,” Liska said. “But the two code bases were very similar when REvil first appeared.”

Biden tells Putin the U.S. will take ‘any necessary action’ after latest ransomware attack, White House says

In some cases, cybercriminal groups have been known to offer up decryption keys even without ransom payments. This happened earlier this year in Ireland after the national health service was hacked. That ransomware group, Conti, finally handed over a key amid mounting public pressure.

But Liska said REvil is unlikely to do the same.