When ransomware groups like DarkSide and REvil disappeared weeks back, it was essentially following a routine pattern. Appearing, making a splash with a series of attacks (both publicized and kept under wraps) and then disappearing and presumably disbanding.
However, what is happening now is unprecedented. As the Happy Blog is reactivated, signs are pointing to the ransomware gang REvil resurfacing.
“Typically, when ransomware groups and their associated leak websites go offline, they either shut down their operations on their own accord (and provide decryption keys) or they’ve been shut down by law enforcement agencies,” Tenable researcher Satnam Narang tells IndustryWeek. “With all of the attention they received following the Kaseya attack, REvil’s exit was abrupt. It led to tons of speculation as to what had happened, and whether or not they would rebrand and return under a new ransomware moniker. REvil’s return is therefore unprecedented.”
Of course, REvil itself is quite likely a reincarnation of a previous group, explains Steve Moore, chief security strategist, Exabeam. “After all, adversaries' talent and confidence is stronger after prior successes,” he says.
Moore encourages organizations to think about the resurfacing two-fold:
“First, they undoubtedly have their next software supply chain compromised. The technique began in espionage and has now been borrowed for criminal activity; this campaign hasn't started yet – but will very soon,” he says. “On the other hand, defenders should focus more on the missed intrusion and poor recovery options and less on ransomware. Ransomware is the product of being unable to detect and disrupt the cycle of compromise – period.”
At this point, it is unclear what REvil’s future holds, explains Narang. “Whether this is indeed the beginning of a full-fledged return remains to be seen,” says Narang. “It may very well be that REvil is gearing up for the next phase of attacks. Even with other competitors in this space, REvil is one of the premiere ransomware-as-a-service operations and they will likely return to prominence in due time.”
Adds Moore, “Directly, REvil took time to refit, retool, and take a bit of a holiday over the summer. The fact their sites are back online means they are, again, ready for business and have targets in mind.”