PSU Vanguard Shield Icon

REvil and the rise of ransomware

Ransomware gang REvil’s websites mysteriously disappeared off the dark web during the week of July 13. This news comes just days after U.S. President Biden demanded Russian President Vladimir Putin shut down ransomware groups and collectives operating within Russia. Some speculate that this is a result of U.S. nation-state cyber defenses shutting down REvil’s website servers, however no evidence has yet to emerge on why the site has been shut down.


REvil is publicly—and notoriously—known as the hacker group responsible for the Kaseya cyberattack occurring July 2. The cyberattack compromised over 200 businesses, spreading ransomware across the company’s clients that were using Kaseya’s network assessment tools. 


This was not, however, the first instance of an attack claimed by REvil. In fact, ransomware itself has been on the rise since the pandemic began.


Ransomware itself is a special form of computer malware, or virus, often deployed by hackers. This malware completely locks a computer through encryption, rendering it unusable unless a set amount of ransom is paid. It’s common for hackers in control of the malware to threaten to sell, leak or destroy information within the computer or network if the ransom is not paid. CD Projekt Red’s recent issues with data hacked from their studio exemplify the struggles between ransomware and technology companies. 


These individuals do not always work alone either. These ransomware gangs are a part of organized cybercrime syndicates, which is a fancy way to explain organized crime through computer hacking. DarkSide is another example of another infamous ransomware gang, having decimated Colonial Pipeline’s supply chain in May. 


Using the term “gang” alongside any hacker synonym may not properly paint the picture of the individuals involved in these acts. These hackers, often anonymous, can come from anywhere in the world, including nation-state backed individuals. Other syndicates may instead choose to sell ransomware packages online via the dark web, allowing anyone with enough money and access to deploy a malware that can attack any computer network, so long as the person claims their success was done by the gang itself. 


Ransom attacks have increased 150% in 2020, with over a 300% increase in payments to those ransoms, with the numbers expected to grow even further this year. There are many factors that could indicate why cyber threats have increased exponentially since the pandemic, starting with the fundamental shift to remote work and computer usage caused by the global catastrophe. There are other key aspects which could help explain why ransomware is so frequent in the wild. 


One reason has to do with quick profitability. The first ransomware attack was known as the 1989 AIDS trojan, found inside 20,000 floppy disks given to healthcare industry professionals where $189 was requested in order to unlock the computers. Fast forward to 2021, where Colonial Pipeline paid a hefty $5 million in ransom. It is simple and instantaneous, albeit illegal to deploy a ransom attack to make money. With the rise in remote work, most companies panic, and feel as if they have little option but to pay, in order to prevent further disaster. It should be noted the FBI explicitly warns companies and individuals not to pay ransoms, as such actions may be constituted as an act of terrorism under U.S. law. 


The other reason is due to anonymity. The adoption of cryptocurrency allows for more frequent and completely anonymous transactions impossible through other methods, such as a wire transfer. Anonymity is baked into the decentralized nature of the crypto-world, allowing cybercriminals easy methods to conduct transactions without anything being traced back to them. 


The final reason has to do with the ever-impending threat of other nation-states and their interference within critical U.S. infrastructures. Targets like Colonial Pipeline and JBS both show the fragility of our nation’s supply chains, something that foreign adversaries could exploit. 


Making money while causing mayhem is a sad yet real motivation behind the rise in ransomware attacks. Health care systems are at most risk, with a 125% increase in attacks in 2021, and over a 470% increase since 2019. This particular infrastructure holds highly sensitive data, and solving these issues must be done significantly faster than other industries, otherwise patients may very likely die without access to healthcare technology. 


It’s understandable that even some of the best minds in cybersecurity may not fully be able to prevent ransomware from happening, if these attacks are done by government-supported teams. Realistically speaking, however, there are still many ways to prevent every type of security threat a company, individual or even a university may face. 


Companies and universities can read through CISA’s ransomware guides and services, which provides tools for threat detection and detailed instructions on how to spot and prevent threat actors from succeeding in breaking through defenses. Beyond any other measure, entities should treat cyber security as seriously as possible. Budgeting an expense for defenses and hiring cyber security teams are vital, if current computer networks hold data regarding developing technologies, sensitive materials or critical infrastructure information. 


Individuals do not need to hire their own independent teams, but understanding cyber hygiene will help prevent any potential hacking attempts inside home networks or devices. For the average consumer, this involves immediate software updates when available (no matter how annoying they can pop up), changing passwords, using a VPN in public or on widely-shared WiFi networks, using two-factor authentication (or push notifications for PSU students) and never opening emails from addresses you don’t recognize. Additionally, any victims of cybercrime may contact the local FBI field office, and file a report with the FBI’s IC3