Not long after launching a major supply chain attack in July 2021, the REvil ransomware gang went offline. The group’s infrastructure, including its surface and dark web portals used for ransom negotiations and data leaks, shut down on July 12, according to Bleeping Computer. Russian digital crime forum XSS banned Unknown, a user believed to have been a representative for REvil, a short time later.

Before this, REvil was one of the most prolific and high-profile ransomware gangs. In March 2021, for instance, the operation drew attention to itself by demanding $50 million from a Taiwanese computer manufacturer. In April, it attempted to extort a tech giant during a live product reveal event. It was connected to other gangs, too. In May, a representative for REvil helped to announce the shutdown of DarkSide, a group that had been responsible for a pipeline attack earlier in the year.

Why Did the REvil Ransomware Gang Shut Down?

REvil vanishing stands out partly because it was a surprise. The gang didn’t announce its shutdown ahead of time. Nor did it follow the lead of other ransomware gangs and release a master decryption key before calling it quits. It’s also unclear whether another entity took down REvil or if it folded on its own.

What Happens to the Victims?

Those questions highlight just how difficult it can be for victims if and when a ransomware operation suddenly goes offline. Ideally, law enforcement and/or the security community could obtain a universal decryption key ahead of time so that victims can recover their files for free once the group disappears.

That’s not always possible, however. For instance, law enforcement tends to focus solely on disrupting the gang quickly. The logic is that doing so will help to prevent them from claiming any more victims. That allows the security community to focus on recovering existing victims’ data.

There’s another side of the argument, as well. Taking down a ransomware group puts victims in a difficult position. What if the group disappears with no way to get the ransomed files back? The only thing to do is to contact law enforcement, Steve Moore, chief security strategist at Exabeam, told SC Media.

Resisting the Pressure to Pay

Depending on the nature of the attack, some victims might choose to pay the ransom. They may believe it is the only means by which they can recover their systems and data. That’s especially a problem if the victim was a managed service provider. In that case, they could face hundreds if not thousands of customers fighting to recover.

Even if the victims have backups, they sometimes find that it makes more financial sense for them to pay up. A 2020 report from cybersecurity company Covewave found it sometimes takes over two weeks to fully remediate and restore systems following a ransomware attack using backups. This type of disruption could undermine victims’ longevity and cost them more than paying the ransom. However, paying also encourages the attackers to target others and is not recommended.

A Reminder for Ransomware Prevention

Overall, the best option is to avoid needing to recover from a ransomware attack in the first place. Towards that end, organizations need to make sure that their employees have the right security awareness training to help prevent a ransomware infection. They can do this by using threat intelligence and conducting phishing simulations to cultivate employees’ awareness of current attacks. Organizations can then complement those human controls with technical measures, including email scanners and a robust data backup strategy with frequent rounds of testing.

More from Endpoint

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…

Threat Management and Unified Endpoint Management

The worst of the pandemic may be behind us, but we continue to be impacted by it. School-aged kids are trying to catch up academically and socially after two years of disruption. Air travel is a mess. And all businesses have seen a spike in cyberattacks. Cyber threats increased by 81% while COVID-19 was at its peak, with 79% of all organizations experiencing a loss of business operations during that time. The risk of cyberattacks increased so much that the…

3 Ways EDR Can Stop Ransomware Attacks

Ransomware attacks are on the rise. While these activities are low-risk and high-reward for criminal groups, their consequences can devastate their target organizations. According to the 2022 Cost of a Data Breach report, the average cost of a ransomware attack is $4.54 million, without including the cost of the ransom itself. Ransomware breaches also took 49 days longer than the data breach average to identify and contain. Worse, criminals will often target the victim again, even after the ransom is…

How EDR Security Supports Defenders in a Data Breach

The cost of a data breach has reached an all-time high. It averaged $4.35 million in 2022, according to the newly published IBM Cost of a Data Breach Report. What’s more, 83% of organizations have faced more than one data breach, with just 17% saying this was their first data breach. What can organizations do about this? One solution is endpoint detection and response (EDR) software. Take a look at how an effective EDR solution can help your security teams. …