After months of dramatic escalations, two prominent Russia-based ransomware gangs, REvil and Darkside, went quiet for weeks this summer. The pause came as the White House and US law enforcement pledged to combat ransomware and stand up to governments that seemingly offer “safe harbor” to even the most reckless gangs. That lull has officially ended.
REvil and Darkside launched devastating attacks in the first half of the summer against the well-positioned IT services company Kaseya, the east coast Colonial Pipeline fuel distribution system, and global meat provider JBS among others. As the impacts mounted, and fresh off of committing to a public-private ransomware task force at the end of April, US law enforcement sprang to action. In June, the FBI traced and seized more than $4 million-worth of cryptocurrency that Colonial Pipeline paid to Darkside. And The Washington Post reported this week that the FBI seized the decryption key from REvil servers for the Kaseya ransomware, but didn't release it so they could pursue an operation against the gang's infrastructure. REvil abruptly went offline before officials could act on the plan.
White House deputy national security adviser Anne Neuberger even noted at the beginning of August that BlackMatter—an apparent successor to Darkside with technical similarities—had committed to avoid critical infrastructure targets in its attacks. She suggested that the Kremlin might be heeding requests and warnings President Joseph Biden made about ransomware at the beginning of the summer.
“We’ve noted the decrease in ransomware, and we think it’s an important step in reducing the risk to Americans," Neuberger added earlier this month. "There could be a host of reasons for it, so we’re noting that trend and we hope that that trend continues.”
It seems unlikely. REvil and other gangs resurfaced after Labor Day weekend. Earlier this week, Russian hackers from BlackMatter launched a ransomware attack demanding $5.9 million from the Iowa grain co-op New Cooperative—a critical infrastructure target key to the US food supply. Meanwhile, on Monday the Cybersecurity and Infrastructure Security Agency, National Security Agency, and FBI issued a joint alert that they have observed more than 400 attacks total over time that use Conti ransomware, distributed by a Russia-based ransomware-as-a-service gang that was involved in last year's rash of hospital attacks.
The US government is pushing forward with its overall ransomware response. On Tuesday, the Treasury Department said it would sanction the Suex cryptocurrency exchange for its alleged involvement in ransom laundering. The Treasury also said that all ransomware victims should contact the department before deciding to pay a ransom to avoid violating sanctions, a call that fits with the White House's broader effort to get victims to disclose when they've been hit with ransomware. The US has no central dataset that reflects every attack, and companies often prefer to keep incidents quiet when possible.
Hackers seem ready and willing to adapt to US enforcement efforts. Some groups have begun proactively warning victims not to disclose attacks to a government, threatening to release stolen files if targets do report the situation. And the gangs may have simply used their time underground to strategize, regroup, and retool while the fallout from high-profile attacks blew over.
“This is absolutely a long game—as soon as you have one group say they’re gone, there’s one right behind them to step in,” says Katie Nickels, director of intelligence at the security firm Red Canary. “And even though in July and August it seemed like the numbers were maybe down, there were still daily attacks and victim data posted on dark web sites daily. So the good news is that the US government seems to be taking actions and making this a priority; it's just too early to declare victory.”
Jake Williams, a former NSA hacker and chief technology officer at the incident response firm BreachQuest, says that while he's seen fewer ransomware attacks in recent months, he's under no illusion that the threat is waning.
“I think the groups are re-calculating their risk and making infrastructure upgrades like retooling and building new implants so they can keep operating," he says. “Law enforcement can take down infrastructure all day long, but it’s never going to change until we make it not profitable to run ransomware attacks.”
Any dip in high-profile attacks also belies the steady drumbeat of ransomware attacks that don't make the headlines, which by some accounts didn't pause at all.
“In our data there wasn’t even a significant dip in ransomware attacks this summer globally or even just in the US,” says Fabian Wosar, chief technology officer of the antivirus firm Emsisoft, which also makes decryption tools for ransomware response. It was inevitable, he adds, that aggressive groups who went dark would eventually reemerge.
“It was obvious that REvil in particular wouldn’t be gone for long. And it was also very obvious that Darkside wouldn’t be gone forever either," he says. “At the point where infrastructure is being taken down and law enforcement agencies catch up to them, they've probably already made millions if not tens of millions of US dollars, so it’s way too late by that stage.”
With a threat as lucrative as ransomware, where attackers can afford to take weeks or months off to go underground and regroup, US officials are going to have to work even harder to get ahead of the game.