REvil Is Down, Not Out

Systems and Infrastructure Go Down for REvil Ransomware

On July 13, 2021, following the recent high-profile ransomware attack on Kaseya, the systems, network, and hosting infrastructure for the Russian ransomware extortionist threat group “REvil” (aka, “Sodinokibi” or “Sodin”) mysteriously went offline—without parting words from REvil admins or law enforcement agencies claiming the successful takedown. On the same day, the cybercriminal forum XSS formerly banned REvil’s primary spokesperson, who uses the alias “Unknown.”

36 Hours In: Systems Still Down, Admins Silent

As of this article’s posting on late July 14, 2021, REvil systems remain down, including the ransomware collective’s payment support operations, communications channels, and victim shaming sites.

Some threat actors celebrated the alleged takedown on various illicit communities. For example, on XSS, one threat actor with the alias “farnetwork” said REvil were competitors, and told them to “rest in peace.” Another user with the alias “Rakuda” said these are “good days” as this move will lead to a decrease in scammers operating on the forum.

Yet, while many ransomware victims and security experts celebrate REvil’s demise, ransomware, and the cyber extortion groups like REvil who carry out the attacks, are sure to persist.

Lingering Ambiguity Strengthens the Case for REvil Returning

With REvil’s outage extending into a day and a half since the first signs of the outage surfaced, answers to questions as to why it suddenly went offline and who’s responsible still remain unclear. Typically in these instances, someone takes claim for the outage or general consensus coalesces around the most likely cause. In this instance with REvil, questions continue to linger.

Threat actor discussion of REvil’s circumstances on illicit forums has flourished, with users engaging in active debates about various theories and explanations and predictions about future developments likely to unfold. Some are confident that REvil members have been arrested. While even more speculate that REvil’s outage is temporary, making the case that even if there were REvil arrests, the likelihood that all group members were successfully apprehended is small. If REvil’s absence is temporary, then we’re certain to see a rebranded version of REvil emerge carrying out large-scale attacks using familiar TTPs.

XSS Ban of REvil Spokesperson “Unknown” Just Proactive Protection

Similarly with the XSS ban of the REvil spokesperson “Unknown,” the seemingly coincidental timing with the outage is far more likely due to XSS admins catching early wind of the REvil outage and them taking extra precautions to protect themselves from possible account takeovers that law enforcement could run (had law enforcement in fact been responsible for the REvil takedown). As of this reporting, however, there’s no significant evidence to link this outage to law enforcement efforts. Moreover, given Russia’s longstanding hands-off approach to international cybercrime enforcement, it’s even less likely that a joint mission against REvil was carried out.

Some threat actors inquired about the remaining deposits that Unknown still held in the XSS forum, wondering what would happen to the funds following its ban from the forum. When DarkSide was banned from illicit forums, admins of these forums seized and distributed DarkSide’s remaining deposits amongst themselves. An XSS admin offered context regarding Unknown’s remaining funds—which at .0022 BTC (currently US$72) is much smaller than Darkside’s deposit was—claiming that they would either be distributed or fund the operation of the forum.

The Kremlin Evasive on Topic of REvil Topic, Denies Involvement

Meanwhile, the Kremlin is denying any involvement in the alleged takedown. When asked about Russia’s involvement in REvil’s disappearance during a July 14th press conference, Kremlin spokesperson Dmitry Peskov claimed he’s unaware of the entire situation, stating “I do not know which group has disappeared from where.” Peskov’s denial does not lend credence to theories that President Biden’s conversation with Russian President Putin pressured the Russian leader to take a harsher stance on cybercrime originating in Russia. 

Prepare for Ransomware and Cyber Extortion with Flashpoint

Request a demo and see firsthand how Flashpoint’s Threat Response and Readiness offerings ensure your entire team is prepped and able to respond to any ransomware attack. When equipped with Flashpoint’s dedicated ransomware dashboards, you move ahead of ransomware and the cybercriminal groups who deploy it.