A Russian-speaking cybercriminal group responsible for a series of ransomware attacks on major US firms brought some of its infrastructure back online this week in a sign that it could be back in business, according to cybersecurity experts.
Payment portals and a victim-shaming website used by the so-called REvil group had been quiet since the hackers claimed responsibility for a July ransomware attack on IT provider Kaseya that affected an estimated 1,500 businesses around the world.
“Currently, we have not observed any new victims, but ultimately the group is back to make money as ransomware is very profitable,” said Adam Meyers, senior vice president of intelligence at security firm CrowdStrike.
The development comes three months after a meeting between President Joe Biden and Russian President Vladimir Putin in which Biden said he urged Putin to crack down on cybercriminals operating from Russian soil.
US National Cyber Director Chris Inglis said Thursday that public reports indicate some Russian-speaking ransomware groups have been less active since the Biden-Putin meeting, but that it was “too soon to say that we’re out of the woods on this.”
“I think it’s a fair bet that [the ransomware groups] have self-deconstructed, that they’ve essentially gone cold and quiet to see whether the storm will blow over and whether they can then come back,” said Inglis, a top cybersecurity adviser to Biden.
REvil is one of multiple ransomware gangs suspected of operating out of Russia and Eastern Europe that have extorted millions of dollars out of major companies in recent months. The FBI blamed REvil for a May ransomware attack on JBS USA, which accounts for some one-fifth of US beef production. JBS said it paid the hackers $11 million to unlock their systems.
That incident followed the days-long shutdown of major fuel transporter Colonial Pipeline earlier in May after a ransomware attack by another Russian-speaking criminal outfit known as DarkSide. Colonial Pipeline, which transports some 45% of all fuel consumed on the East Coast, paid its extortionists $4.4 million.
REvil’s reemergence “shows the resiliency of organized cybercrime groups … to get back to business as usual in a relatively short period of time,” Michael DeBolt, chief intelligence officer of cybersecurity firm Intel 471, told CNN.
Ransomware has taken an increasing toll on the US economy in recent years.
Victims of ransomware attacks paid some $350 million in ransoms in 2020, according to Chainalysis, a firm that tracks cryptocurrency. Those who don’t pay can spend millions of dollars rebuilding their computer infrastructure.
Alarmed by the potential of ransomware and other cyber threats to hinder US critical infrastructure, Biden met with executives of key tech and energy firms at the White House in August. In response, Google and Microsoft pledged a combined $30 billion on cybersecurity initiatives.
As the White House tries to pressure Moscow into reining in ransomware groups, US officials have urged businesses to step up their security measures to make hacks less impactful.
The FBI and US Cybersecurity and Infrastructure Security Agency in August reminded companies that the agencies “strongly discourage paying a ransom to criminal actors” because it could allow hackers to invest in new capabilities.