UPDATED 20:37 EDT / JULY 13 2021


REvil disappears following pressure on Russia to act on ransomware gangs

Ransomware gang REvil has disappeared following pressure from the U.S. government on Russia to act on ransomware groups operating in the country.

The REvil ransomware gang, also known as Sodinokibi, dates back to 2018 and is believed to be an offshoot of the now-defunct GandCrab ransomware gang. REvil, in its three years, has been prolific in its attacks.

SiliconANGLE first reported on the group in May 2019 following an attack exploiting a vulnerability on Oracle Corp.’s WebLogic Server and has regularly done so since. Notable REvil ransomware attacks include CyrusOne Inc. in December 2019; Travelex the same month, a notable target as the company subsequently paid the ransom; celebrity law firm Grubman Shire Meiselas & Sacks in May 2020; video games maker Capcom Co. Ltd. in November; U.K. cosmetic surgery provider Transform Hospital Group Ltd. in December; and insurance company CNA Financial Corp. in March.

More recent attacks include REvil demanding a $50 million payment from computer maker Acer Inc., a ransomware attack that resulted in meat processing company JBS S.A. paying an $11 million ransomware payment, and an attack on Taiwanese manufacturer Quanta Computer Inc. that resulted in the theft of Apple Inc. blueprints.

REvil’s ultimate downfall, though, may be its last attack targeting software company Kaseya Ltd. earlier this month. That one drew the attention of the White House.

The White House July 6 vowed to take action against Russia if the attack was linked to the country. U.S. President Joe Biden spoke to Russian President Putin on July 9, when he underscored the need for Russia to disrupt ransomware groups operating in the country.

Whether REvil’s alleged disappearance is the result of Russia acting after the request from the U.S. to crack down on ransomware gangs operating in the country is pure speculation. The Associated Press correctly notes in its headline that the cause isn’t clear but added that there is no sign of a law enforcement takedown.

Ransomware gangs come and go on a regular basis and REvil has been a highly profitable one. Those behind the group could have simply taken their profits and run amid increasing attention.

Jake Williams, co-founder and chief technology officer at incident response firm BreachQuest Inc., agreed it’s all speculation for now.

“Ransomware gangs operating in Russia were on borrowed time the second Colonial was hit,” Williams said. “The Russian government didn’t care about the cybercrime occurring within its borders, but only so long as it didn’t impact Russia itself.”

But that, he added, has clearly changed, and the Russian government can clearly see it’s being hurt by the actions of these hackers. “Whether REvil was taken out of commission by the Russian government, saw the writing on the wall and took infrastructure down and is simply rebranding like so many groups have — likely including REvil itself — or something else is unknown at this point.”

Photo: U.S. Air Force

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy