What Happens to Victims When a Ransomware Gang Vanishes?

October 5, 2021
| |
2 min read

Not long after launching a major supply chain attack in July 2021, the REvil ransomware gang went offline. The group’s infrastructure, including its surface and dark web portals used for ransom negotiations and data leaks, shut down on July 12, according to Bleeping Computer. Russian digital crime forum XSS banned Unknown, a user believed to have been a representative for REvil, a short time later.

Before this, REvil was one of the most prolific and high-profile ransomware gangs. In March 2021, for instance, the operation drew attention to itself by demanding $50 million from a Taiwanese computer manufacturer. In April, it attempted to extort a tech giant during a live product reveal event. It was connected to other gangs, too. In May, a representative for REvil helped to announce the shutdown of DarkSide, a group that had been responsible for a pipeline attack earlier in the year.

Why Did the REvil Ransomware Gang Shut Down?

REvil vanishing stands out partly because it was a surprise. The gang didn’t announce its shutdown ahead of time. Nor did it follow the lead of other ransomware gangs and release a master decryption key before calling it quits. It’s also unclear whether another entity took down REvil or if it folded on its own.

What Happens to the Victims?

Those questions highlight just how difficult it can be for victims if and when a ransomware operation suddenly goes offline. Ideally, law enforcement and/or the security community could obtain a universal decryption key ahead of time so that victims can recover their files for free once the group disappears.

That’s not always possible, however. For instance, law enforcement tends to focus solely on disrupting the gang quickly. The logic is that doing so will help to prevent them from claiming any more victims. That allows the security community to focus on recovering existing victims’ data.

There’s another side of the argument, as well. Taking down a ransomware group puts victims in a difficult position. What if the group disappears with no way to get the ransomed files back? The only thing to do is to contact law enforcement, Steve Moore, chief security strategist at Exabeam, told SC Media.

Resisting the Pressure to Pay

Depending on the nature of the attack, some victims might choose to pay the ransom. They may believe it is the only means by which they can recover their systems and data. That’s especially a problem if the victim was a managed service provider. In that case, they could face hundreds if not thousands of customers fighting to recover.

Even if the victims have backups, they sometimes find that it makes more financial sense for them to pay up. A 2020 report from cybersecurity company Covewave found it sometimes takes over two weeks to fully remediate and restore systems following a ransomware attack using backups. This type of disruption could undermine victims’ longevity and cost them more than paying the ransom. However, paying also encourages the attackers to target others and is not recommended.

A Reminder for Ransomware Prevention

Overall, the best option is to avoid needing to recover from a ransomware attack in the first place. Towards that end, organizations need to make sure that their employees have the right security awareness training to help prevent a ransomware infection. They can do this by using threat intelligence and conducting phishing simulations to cultivate employees’ awareness of current attacks. Organizations can then complement those human controls with technical measures, including email scanners and a robust data backup strategy with frequent rounds of testing.

David Bisson
Contributing Editor

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...
read more