Not long after launching a major supply chain attack in July 2021, the REvil ransomware gang went offline. The group’s infrastructure, including its surface and dark web portals used for ransom negotiations and data leaks, shut down on July 12, according to Bleeping Computer. Russian digital crime forum XSS banned Unknown, a user believed to have been a representative for REvil, a short time later.

Before this, REvil was one of the most prolific and high-profile ransomware gangs. In March 2021, for instance, the operation drew attention to itself by demanding $50 million from a Taiwanese computer manufacturer. In April, it attempted to extort a tech giant during a live product reveal event. It was connected to other gangs, too. In May, a representative for REvil helped to announce the shutdown of DarkSide, a group that had been responsible for a pipeline attack earlier in the year.

Why Did the REvil Ransomware Gang Shut Down?

REvil vanishing stands out partly because it was a surprise. The gang didn’t announce its shutdown ahead of time. Nor did it follow the lead of other ransomware gangs and release a master decryption key before calling it quits. It’s also unclear whether another entity took down REvil or if it folded on its own.

What Happens to the Victims?

Those questions highlight just how difficult it can be for victims if and when a ransomware operation suddenly goes offline. Ideally, law enforcement and/or the security community could obtain a universal decryption key ahead of time so that victims can recover their files for free once the group disappears.

That’s not always possible, however. For instance, law enforcement tends to focus solely on disrupting the gang quickly. The logic is that doing so will help to prevent them from claiming any more victims. That allows the security community to focus on recovering existing victims’ data.

There’s another side of the argument, as well. Taking down a ransomware group puts victims in a difficult position. What if the group disappears with no way to get the ransomed files back? The only thing to do is to contact law enforcement, Steve Moore, chief security strategist at Exabeam, told SC Media.

Resisting the Pressure to Pay

Depending on the nature of the attack, some victims might choose to pay the ransom. They may believe it is the only means by which they can recover their systems and data. That’s especially a problem if the victim was a managed service provider. In that case, they could face hundreds if not thousands of customers fighting to recover.

Even if the victims have backups, they sometimes find that it makes more financial sense for them to pay up. A 2020 report from cybersecurity company Covewave found it sometimes takes over two weeks to fully remediate and restore systems following a ransomware attack using backups. This type of disruption could undermine victims’ longevity and cost them more than paying the ransom. However, paying also encourages the attackers to target others and is not recommended.

A Reminder for Ransomware Prevention

Overall, the best option is to avoid needing to recover from a ransomware attack in the first place. Towards that end, organizations need to make sure that their employees have the right security awareness training to help prevent a ransomware infection. They can do this by using threat intelligence and conducting phishing simulations to cultivate employees’ awareness of current attacks. Organizations can then complement those human controls with technical measures, including email scanners and a robust data backup strategy with frequent rounds of testing.

More from Endpoint

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today