Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed


REvil’s Websites Shutting Down Sparks Speculation: Another Ransomware Bites the Dust?

Not likely. At least, not for the group behind the ransomware anyway. The timing of REvil’s disappearance has caused quite a stir and plenty of speculation as to why the group has done dark. Theories abound including an FBI takedown, an exit scam, or even cooperation from Russian authorities after U.S. President Joe Biden has had multiple talks with Russian President Vladimir Putin over ransomware. Bleeping Computer’s Lawrence Abrams reached out to the FBI over the circumstances of the websites shutting down, though the agency declined to comment, potentially fueling the FBI theory further. However, for now, that’s all that these possibilities are. Just theories.

The one thing we do currently know is that these ransom groups tend to stick around, potentially forming new groups or releasing “new” ransomware under a different name to avoid immediate connection. In early 2019, the authors behind the Gandcrab “ransomware-as-a-service” (RaaS) announced their retirement. Security researchers later discovered links between the Gandcrab and REvil families, proving that the group did not actually retire as claimed. Unfortunately, even if the group does disappear, many others would gladly step in to fill the void and snatch up the newly-stranded customer base. REvil has many “affiliates” who break into networks and use the ransomware to extort their victims. Even if REvil ransomware is not available to them, they can simply switch to another RaaS offering and carry on with their crimes.

Analyst Notes

REvil’s disappearance has caused a lot of speculation, but that does not mean the threat of ransomware has faded. Even if the group did not make a comeback or rebrand, many other groups still exist and pose a very real threat. Binary Defense recommends that organizations continue to evaluate their readiness to defend against and recover from a ransomware attack, following guides from the CISA (Cybersecurity & Infrastructure Agency) and NCSC (National Cyber Security Centre). These guides provide valuable insight on topics like initial infection vectors for ransomware, how to create and protect backup data and how to create an incident response plan for a ransomware attack. Early detection of intrusions is the best mitigation against the damage caused by ransomware.