Not long after launching a major supply chain attack in July 2021, the REvil ransomware gang went offline. The group’s infrastructure, including its surface and dark web portals used for ransom negotiations and data leaks, shut down on July 12, according to Bleeping Computer. Russian digital crime forum XSS banned Unknown, a user believed to have been a representative for REvil, a short time later.

Before this, REvil was one of the most prolific and high-profile ransomware gangs. In March 2021, for instance, the operation drew attention to itself by demanding $50 million from a Taiwanese computer manufacturer. In April, it attempted to extort a tech giant during a live product reveal event. It was connected to other gangs, too. In May, a representative for REvil helped to announce the shutdown of DarkSide, a group that had been responsible for a pipeline attack earlier in the year.

Why Did the REvil Ransomware Gang Shut Down?

REvil vanishing stands out partly because it was a surprise. The gang didn’t announce its shutdown ahead of time. Nor did it follow the lead of other ransomware gangs and release a master decryption key before calling it quits. It’s also unclear whether another entity took down REvil or if it folded on its own.

What Happens to the Victims?

Those questions highlight just how difficult it can be for victims if and when a ransomware operation suddenly goes offline. Ideally, law enforcement and/or the security community could obtain a universal decryption key ahead of time so that victims can recover their files for free once the group disappears.

That’s not always possible, however. For instance, law enforcement tends to focus solely on disrupting the gang quickly. The logic is that doing so will help to prevent them from claiming any more victims. That allows the security community to focus on recovering existing victims’ data.

There’s another side of the argument, as well. Taking down a ransomware group puts victims in a difficult position. What if the group disappears with no way to get the ransomed files back? The only thing to do is to contact law enforcement, Steve Moore, chief security strategist at Exabeam, told SC Media.

Resisting the Pressure to Pay

Depending on the nature of the attack, some victims might choose to pay the ransom. They may believe it is the only means by which they can recover their systems and data. That’s especially a problem if the victim was a managed service provider. In that case, they could face hundreds if not thousands of customers fighting to recover.

Even if the victims have backups, they sometimes find that it makes more financial sense for them to pay up. A 2020 report from cybersecurity company Covewave found it sometimes takes over two weeks to fully remediate and restore systems following a ransomware attack using backups. This type of disruption could undermine victims’ longevity and cost them more than paying the ransom. However, paying also encourages the attackers to target others and is not recommended.

A Reminder for Ransomware Prevention

Overall, the best option is to avoid needing to recover from a ransomware attack in the first place. Towards that end, organizations need to make sure that their employees have the right security awareness training to help prevent a ransomware infection. They can do this by using threat intelligence and conducting phishing simulations to cultivate employees’ awareness of current attacks. Organizations can then complement those human controls with technical measures, including email scanners and a robust data backup strategy with frequent rounds of testing.

More from Endpoint

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…