It is not unusual for professional cybercriminal organizations to disappear without a trace. Especially after a coup like the one the REvil group gave 10 days ago, when their ransomware infected more than a thousand organizations around the world in a gigantic cyberattack that put them in the middle of the bullseye. What is much less common is that this disappearance comes hours after the US president picks up the red phone to talk about hackers with Vladimir Putin.
What is ‘ransomware’ and how does it work, the computer attack suffered by the SER and other companies
On Friday Joe Biden phoned his Russian counterpart to tell him that if he did not act to clip the wings of the digital gangster group (which allegedly operates from his territory), he would order his own forces to do so. At least that is what he assured before questions from the press, when he answered with a concise “yes” when asked if he would take the initiative against REvil in the event that Putin did not move. The group of cybercriminals had crossed the line with its latest action, which mainly affected American companies and caused them losses of billions of dollars.
Four days later, the digital infrastructure with which REvil (acronym for Ramsonware Evil) perpetrated its cyberattacks was dismantled. The community of American cybersecurity experts considers three possible explanations, advances The New York Times. One is that Biden has made effective his threat and that his “Cybercommand”, in conjunction with the FBI, has acted to dismantle the organization.
Another theory is that it was Putin who ordered his forces to act against REvil. The third is that it is the group itself who decided that the spirits around them had become too heated and decided to erase their trail, perhaps urged to do so by the Kremlin.
“Right now any option is on the table, there has been a lot of movement at the geopolitical level,” Josep Albors, director of research and awareness at ESET Spain, explains to elDiario.es.
The first theory that could be contrasted is the least epic: that these digital gangsters have decided to act like the usual ones, hiding when they feel stalked. “There are antecedents of groups that once they have achieved their objective have preferred to disappear to reappear a posteriori with another name. So they try to get rid of this persecution because apparently they are another group, “Albors explains. It is a tactic that can ease the pressure on them a little, but not too effective:” Analysts know how to recognize them when they reappear because of the techniques they use.
In recent years, the most common strategy of cybercriminal groups that extort money from their victims through ransomware is keeping a low profile. This type of attack encrypts the computer files of the victim and prevents him from using their computers. When all seems lost, the digital gangsters get in touch and offer the key to cracking the systems in exchange for a sum of money in cryptocurrencies and the possibility of keeping everything a secret.
But when the ransomware de REvil infected some 1,500 organizations around the world, some Spanish among them, the low profile route was no longer available. The contagion took place through administrative software distributed by the American company Kaseya and used by all those organizations. Given the magnitude of the cyberattack, REvil chose to offer the key to all at once in exchange for $ 70 million.
REvil’s damages in the US forced Biden to declare his ransomware as a threat to national security and to get in direct contact with Putin. It was the second time that the gang hit the country hard, since a little over a month ago it attacked the company responsible for the production of 20% of US beef and pork, causing fear of a possible shortage.
From the cybersecurity firm ESET they recall that the ransomware it is not a problem of geostrategy. “You have to keep in mind that REvil, like many other criminal groups, is a professional organization that offers its ransomware as a service. They are not the ones who directly attack the companies, but what they do is rent it out to other criminals who do not have the tools to develop these threats, “Albors details.
It works as an “affiliate system” in which they create the virus and others are responsible for infecting organizations in their environment with it. When a ransom is collected “the benefits are shared”, explains the expert. Normally, the creators of the ransomware They give a series of guidelines for using it, such as “don’t attract too much attention”, something that clearly failed in the Kaseya case.
The real reason for the disappearance of the REvil infrastructure, which had taken a relevant position in that cybercrime industry, remains for the moment in the realm of speculation. If it has been a police operation in foreign territory, a flight by cybercriminals or a gesture of goodwill by Putin towards the new US president, it is something that will only be revealed when one of those involved decides to unravel the mystery.