REvil drops from sight online after Kaseya hack - The Washington Post

That attack affected a software used by hundreds of businesses and locked up victims’ files so they could no longer access them. Organizations ranging from a grocery chain in Sweden to a school in New Zealand to small Maryland towns were racing to get their systems back online after the attack.

REvil’ssiteswent down early Tuesday, according to cyber analysts. The last known response from the group’s servers was around 1 a.m. Tuesday, said Allan Liska, a researcher with cybersecurity firm Recorded Future.

“Someone went in and removed the IP address” linked to the domain hosting the group’s sites, said Dmitri Alperovitch, president of the think tank Silverado Policy Accelerator and former chief technology officer of the cyber firm CrowdStrike.

The group’s blog is reachable on the dark web, a portion of the Internet that is not easily navigable by search engine, he said. But the more critical sites, which are used to negotiate with the group and receive decryption tools, are on the regular Internet, he said. All were down Tuesday.

The domain registrar is TLD Registrar Solutions, which is headquartered in London, Alperovitch said. Attempts to reach the firm Tuesday were not successful.

The reason behind the site outage is unclear. It could have been the result of a request by law enforcement — British, American or some other government — to the domain registrar. It could have been the group itself feeling pressured.

The servers do not appear to have been hacked, so this is unlikely to be an offensive cyber operation, Alperovitch said. He also said the fact that the domains were not fully seized made it doubtful that it was a law enforcement operation.

President Biden told Russian President Vladimir Putin last week that the United States will take “any necessary action” to defend U.S. infrastructure, according to the White House.

White House national security adviser Jake Sullivan said the administration would announce new measures on ransomware in the coming weeks, without specifying what those actions would be. Sullivan spoke at a national security and tech event in Washington on Tuesday.

In any case, the site, which is where ransomware victims communicate with the group, submit payments and receive decryption keys, is now unreachable, creating a dilemma for those whose systems are locked up.

REvil demanded ransoms ranging from $45,000 to $5 million from the victims in exchange for a computer key that would unlock their files and hand control back to the companies. Many victims have refused to pay the ransom, working instead to restore backups for their many computer systems.

But for some, paying a ransom may have been the only choice to regain years of stored data.

Kurtis Minder, founder of the cybersecurity service GroupSense, said many small businesses who had been hit in the Kaseya hack and were considering paying the ransom to REvil are now stuck. Minder, who helps companies negotiate ransoms with hackers, said the websites being down means they can no longer negotiate with REvil to unlock their computers.

It’s unclear why REvil’s sites are down, but the outage could have the side effect of prolonging the damage to some of the group’s most vulnerable targets, he said.

Another ransomware group, DarkSide, dropped offline in May after it hacked Colonial Pipeline, causing fear of gas shortages and panicked lines at fuel stations. The U.S. government did not take down the group, officials said, and cybersecurity experts warned that the hacking group might not really be gone for good.

REvil, one of the largest ransomware-as-a-service groups operating today, first appeared in April 2019 and is thought to be an evolution of earlier hacking group GandCrab.

“We don’t know if they were directly involved with GandCrab, an affiliate that took over the code, or someone who straight up stole it,” Liska said. “But the two code bases were very similar when REvil first appeared.”

In some cases, cybercriminal groups have been known to offer up decryption keys even without ransom payments. This happened earlier this year in Ireland after the national health service was hacked. That ransomware group, Conti, finally handed over a key amid mounting public pressure.

But Liska said REvil is unlikely to do the same.