Not long after launching a major supply chain attack in July 2021, the REvil ransomware gang went offline. The group’s infrastructure, including its surface and dark web portals used for ransom negotiations and data leaks, shut down on July 12, according to Bleeping Computer. Russian digital crime forum XSS banned Unknown, a user believed to have been a representative for REvil, a short time later.

Before this, REvil was one of the most prolific and high-profile ransomware gangs. In March 2021, for instance, the operation drew attention to itself by demanding $50 million from a Taiwanese computer manufacturer. In April, it attempted to extort a tech giant during a live product reveal event. It was connected to other gangs, too. In May, a representative for REvil helped to announce the shutdown of DarkSide, a group that had been responsible for a pipeline attack earlier in the year.

Why Did the REvil Ransomware Gang Shut Down?

REvil vanishing stands out partly because it was a surprise. The gang didn’t announce its shutdown ahead of time. Nor did it follow the lead of other ransomware gangs and release a master decryption key before calling it quits. It’s also unclear whether another entity took down REvil or if it folded on its own.

What Happens to the Victims?

Those questions highlight just how difficult it can be for victims if and when a ransomware operation suddenly goes offline. Ideally, law enforcement and/or the security community could obtain a universal decryption key ahead of time so that victims can recover their files for free once the group disappears.

That’s not always possible, however. For instance, law enforcement tends to focus solely on disrupting the gang quickly. The logic is that doing so will help to prevent them from claiming any more victims. That allows the security community to focus on recovering existing victims’ data.

There’s another side of the argument, as well. Taking down a ransomware group puts victims in a difficult position. What if the group disappears with no way to get the ransomed files back? The only thing to do is to contact law enforcement, Steve Moore, chief security strategist at Exabeam, told SC Media.

Resisting the Pressure to Pay

Depending on the nature of the attack, some victims might choose to pay the ransom. They may believe it is the only means by which they can recover their systems and data. That’s especially a problem if the victim was a managed service provider. In that case, they could face hundreds if not thousands of customers fighting to recover.

Even if the victims have backups, they sometimes find that it makes more financial sense for them to pay up. A 2020 report from cybersecurity company Covewave found it sometimes takes over two weeks to fully remediate and restore systems following a ransomware attack using backups. This type of disruption could undermine victims’ longevity and cost them more than paying the ransom. However, paying also encourages the attackers to target others and is not recommended.

A Reminder for Ransomware Prevention

Overall, the best option is to avoid needing to recover from a ransomware attack in the first place. Towards that end, organizations need to make sure that their employees have the right security awareness training to help prevent a ransomware infection. They can do this by using threat intelligence and conducting phishing simulations to cultivate employees’ awareness of current attacks. Organizations can then complement those human controls with technical measures, including email scanners and a robust data backup strategy with frequent rounds of testing.

more from Endpoint

IOCs vs. IOAs — How to Effectively Leverage Indicators

Cybersecurity teams are consistently tasked to identify cybersecurity attacks, adversarial behavior, advanced persistent threats and the dreaded zero-day vulnerability. Through this endeavor, there is a common struggle for cybersecurity practitioners and operational teams to appropriately leverage indicators of compromise (IOCs) and indicators of attack (IOAs) for an effective monitoring, detection and response strategy. Inexperienced security […]

TrickBot Gang Uses Template-Based Metaprogramming in Bazar Malware

Malware authors use various techniques to obfuscate their code and protect against reverse engineering. Techniques such as control flow obfuscation using Obfuscator-LLVM and encryption are often observed in malware samples. This post describes a specific technique that involves what is known as metaprogramming, or more specifically template-based metaprogramming, with a particular focus on its implementation […]