A major cybercrime group has disappeared body and property

The REvil ransomware specialists vanished from the network this week, and those responsible for that disappearance are still unknown.

Ransomware has been in vogue for several years now. We could even say that these software designed to lock computer data are the great cybercriminal evil of our time: the income from ransomware would have increased by 311% between 2019 and 2020. The thugs who make their living thanks to them are indeed asking the owners of infected systems to pay ransom to recover their data (or prevent it from being distributed). The officials of the Colonial Pipeline, one of the largest American oil pipelines, thus spent five million dollars in Bitcoin to regain control of their infrastructure last June.

Ransomware is suitable for all targets: banks, large companies, television channels … Some gangs readily target schools or hospitals. Many outsource the distribution of their malware to intermediaries who will get a portion of the ransom if they are successful. The Darkside group thus offers payouts of 75% to 90% of loot to individuals who find and infect targets for them. This life attracts both low-level hackers and street criminals because the risks are low and the profits attractive: in 2020, around 20% of ransomware victims would have paid to regain control of their data.

The fact remains that all criminal operations often come to an abrupt end: REvil, one of the largest ransomware groups in the world, seems to have disappeared from the network on the night of July 12 to 13. The page on which the group posted information about recalcitrant victims, their payment portals and even their chat service evaporated from the dark web. All around the world, cybersecurity professionals are scratching their necks: how could such a powerful group vanish like this?

REvil is known to have targeted Donald Trump and Microsoft. A few days before his disappearance, he had also hacked into the computers of HX5, a Florida company that supplies space and military launch systems to the US armed forces.

The fall of REvil could be linked to the hack of HX5. On July 9, the President of the United States, Joe Biden, declared in a press report following a telephone exchange with the President of the Russian Federation, Vladimir Putin: “I made it clear to him what United States waits when a ransomware operation originates from its soil. Even if it is not backed by the state, we count on them to act if we provide them with enough information about those responsible. A journalist then wanted to know: would the United States act unilaterally in the event of resistance from the Russian powers? Response from Joe Biden: “Yes. “

In all likelihood, REvil was indeed a Russian group: its members recruited on Russian-speaking forums and some of its sites were hosted in Russia. This fits with the doxa of the “big bad Russian (or Chinese) hacker” but also with the manifest laxity of the regime of Vladimir Poutine vis-à-vis cybercriminal circles. The statements of the American president and the apparent disappearance of REvil nevertheless raise a major enigma: who is responsible for the fall of the group? The American “cyber-armed forces”? The Russian authorities, which would mark a considerable diplomatic effort? REvil could also have decided to go green in such a context of pressure. By early July, his troops had reached over 1,500 organizations by hacking Kaseya management software. He then demanded a ransom of $ 70 million.

Another question remains: what should victims do whose computer systems are still locked by REvil ransomware? Occasionally, ransomware cybercriminals may release all of their decryption keys upon disbandment. Not this time. The thugs of REvil have disappeared, of course, but without mea culpa and obviously with the money of the crime. Last March, the group claimed revenue of $ 100 million per year.