The REvil Gang Story: The “Good Guys” Can Still Prevail

Out of all the cybercrime gangs out there, mention the name “REvil” and you will get a palpable response based on the threat this notorious Russian-based group posed. REvil, also known as Sodinokibi, was a notorious ransomware gang that was active from at least April 2019 until (officially) it was dismantled in January 2022. Leading up to its demise, REvil became one of the most successful and damaging cybercrime syndicates in the world. The group was responsible for some of the most high-profile ransomware attacks in recent history.

Ruthless REvil

In May 2021, REvil was found to behind the attacks on JBS and Colonial Pipeline, which disrupted operations at poultry and pork processing plants across the world and resulted in fuel shortages in the southeastern United States. In July 2021 they targeted Kaseya, a software company that provides IT services to thousands of businesses around the world. The attack impacted an estimated 1,500 companies in total.

Needless to say, REvil’s methods were sophisticated and highly effective. The group typically gained access to targets through spear-phishing emails, exploiting vulnerabilities in software, or using stolen login credentials. Once inside a network, REvil actors would spend weeks, or even months, mapping out the organization’s systems and stealing sensitive data before launching a ransomware attack.

The consequences of REvil attacks were devastating for the industry and enterprises they affected. The group’s ransom demands were often in the millions, and paying the ransom provided no guarantee data would be restored. Even worse, REvil was among the hacker groups that went beyond “normal” ransomware attacks and exfiltrated data before encrypting it. This means that if the victim pays the ransom, the attackers may still leak stolen data or use it for future attacks.

The End of REvil

Thankfully, beginning in mid-2021 the wheels started to come off for REvil until eventually they were stopped. Initially, REvil seemed to remove their sites and infrastructure from the internet. Then, bit by bit, community-based efforts helped undo the damage they had inflicted through open decryption tools. This subverted their trusted position in underground communities, and ultimately, a joint, multinational effort disrupted the group’s networks, servers, and backups. In a matter of weeks, indictments and arrests were announced.

A Tale of Victory

The REvil episode is a tale of victory that showed it’s possible to conquer a sophisticated and dangerous hacker group, and also illustrated how. REvil’s story showcased some important steps law enforcement agencies can take to help combat cybercrime:

• Collaborate: One of the most important steps law enforcement agencies can take is to collaborate with other agencies, both international and domestic. By working together, law enforcement agencies can pool resources and share information to track down and apprehend groups.
• Develop Intelligence: This involves gathering information on a group’s activities, methods of attack, and members. Law enforcement agencies can use a variety of methods to gather intelligence, including monitoring online forums and social media, conducting interviews with suspects, and using forensic analysis to gather digital evidence.
• Legal Tooling: Law enforcement agencies can use a range of legal tools to stop hacker groups. For example, they can obtain warrants to search suspects’ computers and devices, and use wiretaps to monitor communications. Additionally, forfeiture laws can be used to seize assets that were obtained through illegal means.
• Increase Awareness: Another important step is to increase awareness of cybercrime and its consequences. Law enforcement agencies can work with businesses and organizations to ensure they understand the risks.
• Invest in Security Services: A recent Gartner survey shows the majority of organizations are pursuing security vendor consolidation in 2022. This trend indicates that organizations are looking to simplify their security infrastructure and streamline security operations. Consolidation can help organizations reduce costs, improve security effectiveness, and increase operational efficiency. By reducing the number of security vendors and products, organizations can focus their resources on a smaller set of solutions and better integrate their security tools. This approach can also help organizations improve visibility into their security posture, as well as better manage and respond to security incidents.

Fighting back against criminal cyberhacker groups is a formidable, challenging mission, but not an impossible one. Ultimately, the fight against cybercrime requires a multi-faceted approach that involves both law enforcement agencies and other stakeholders working together.

A Stark Reminder

The REvil gang serves as a stark reminder of the ongoing threat posed by cybercrime – and the importance of being proactive in our fight against it. It is crucial that law enforcement agencies, businesses, and individuals work together to combat cybercrime and protect ourselves from its devastating consequences.

As IT professionals and executives, we have a responsibility to do our part in this fight. We must prioritize cybersecurity measures and educate our employees about the risks of cybercrime. We should be willing to collaborate and share information with others in our industry, as well as law enforcement agencies, to stay ahead of emerging threats.

While the fight against cybercrime may seem daunting, the demise of the REvil gang is a testament to the power of collaborative efforts and a multi-faceted approach. By working together and leveraging technology, we can prevail against even the most sophisticated and dangerous cybercriminals. In the end, it is up to us to stay vigilant and take action to protect ourselves, our businesses, and our communities.

This article was originally published in Forbes, please follow me on LinkedIn.