Return of Russian ransomware group REvil
REvil, a notorious ransomware gang, has been resurrected after it was supposedly squashed by Russian authorities back in July.
REvil websites disappeared from the internet in mid-July after President Joe Biden pressured his Russian counterpart, Vladimir Putin, to shut down the Russian-speaking ransomware group. REvil had previously gone dark for several months in late 2021 and early 2022 after a major ransomware attack on information technology management software provider Kaseya.
But at the end of August, REvil claimed to steal nearly 400 gigabytes of data, including firmware source code and financial information, from Midea Group, a large Chinese electrical appliance maker.
If REvil leaks the company’s source code, that could cause major problems, said Jerrod Piker, competitive intelligence analyst at cybersecurity provider Deep Instinct.
“Source code is part of a company’s intellectual property, which in turn makes it extremely valuable to threat actors,” Piker told the Washington Examiner. “If sold, cybercriminals could potentially find vulnerabilities that are unknown and breach an organization.”
It’s also “particularly alarming” that REvil appears to be back in operation after more than a year since the Kaseya ransomware attack, Piker said. “It is not uncommon to see ransomware groups go dark after a major breach by changing servers and hiding their footprint, especially if they receive a lot of media attention and pressure from international law enforcement,” he said.
Piker called on companies to be more proactive in their defense against ransomware.
“We need to stop being on the back foot when it comes to ransomware attacks,” he said. “The speed of modern ransomware attacks means that allowing malware to breach a network could already be too late.”
Some cybersecurity experts suggested the Russian crackdown on REvil wasn’t halfhearted given the short amount of time that the group was inactive. REvil is just one of several ransomware groups but is still a major threat all on its own.
“While REvil was among the most notorious groups, it being sidelined was always thought to be some combination of leverage for Russia in U.S. negotiations, as well as a signal to ransomware groups that they shouldn’t attack Russian interests,” said Richard Gardner, CEO of financial tech and AI firm Modulus. “The group behind the attack on the Midea Group is a legitimate threat, and the United States government should take interest.”
While some companies may consider cutting cybersecurity budgets in anticipation of a recession, that would be a “massive mistake,” Gardner told the Washington Examiner. “A recession does not mean that cyber threats go dormant. Midea is proof of that.”
Other cybersecurity experts noted how easily REvil was able to reform after supposed arrests by Russian authorities. The reemergence of REvil “speaks to the resiliency of these groups and how multinational and decentralized they are,” added Darren Williams, CEO and founder of BlackFog, a ransomware prevention provider.
However, the return of one ransomware group doesn’t make a huge impact, Williams told the Washington Examiner.
“Whilst it is definitely a concern, as with any ransomware group, there are so many groups ready to fill any void that it doesn’t affect the landscape significantly,” he said. “We also need to remember that many of the people behind these groups work with many of them and are by no means exclusive.”
BlackFog tracks ransomware, and August saw the second highest number of attacks in a month since 2020, Williams said. The healthcare and services industries both saw a more than 30% increase in attacks during the month.
Other IT experts, however, suggested the reemergence of the group should raise concerns.
“I consider REvil a well-thought-out, organized, meticulous, and patient threat actor,” said Ray Steen, chief strategy officer at MainSpring, an IT strategy consulting firm. “There has been more than one attempt to disband REvil, and clearly, those attempts have failed.”
Both the U.S. government and other U.S. organizations should be on “high alert,” Steen told the Washington Examiner. Organizations should review their cybersecurity posture to “ensure their assets are sufficiently protected.”