Have REvil run to the hills? What does this mean for its victims?

Have REvil run to the hills? What does this mean for its victims?'s Tags

Tags related to this article

Have REvil run to the hills? What does this mean for its victims?

Published 27 July 2021

As the USA prepared for a long-awaited 4th July weekend, news began to trickle through about a major incident involving the Kaseya VSA solution. Kaseya provides IT solutions for Managed Service Providers (“MSPs”) and enterprise clients and the incident provided a clear example as to how a substantive supply chain attack can rapidly materialise. The impact of the incident was global, affecting organisations as far flung as Swedish supermarkets and schools in New Zealand. It is estimated that about 1,500 organisations were affected in total.

Shortly after news broke of the incident, the attack was attributed to ransomware group REvil which has been one of the most active ransomware-as-a-service groups since early 2018. Its list of victims ranges from Grubman, Shire Meiselas & Sacks (the law firm of former US President Donald Trump), to JBS Foods, Dairy Farm, Quest and SoftwareOne. It ran the infamous ‘happy blog’ to name and shame victims, including using those sites to publish stolen data.

In the week commencing 12 July 2021, multiple sites involved with REvil’s data leak and hosting went down. It is still not clear what caused the down time and although REvil has been known to suffer short-lived network failures previously, the length of this downtime has been much longer. Security researchers have also confirmed that the group’s representative on Dark Web forums has also not been active. The cyber community has banded around a number of theories including a US takedown, involvement from the Kremlin or an attempt to follow suit with other actors such as Babuk, who go to ground and rebrand.

It would certainly not be the first time that a group has gone to ground suddenly. We have seen the group responsible for the Colonial Pipeline attack closing up, the shutdown of Maze in late 2020 and the retirement of Avaddon earlier this year. Some threat actors publish decryption keys to assist former victims, however, these forms of retirement usually come with public announcements and media statements, akin to the retirement of a major sports icon. One of the most concerning aspects with REvil, which has historically been involved in profile raising interviews and statements, is that they disappeared without any attention. Time will tell, but what does this mean for REvil’s former victims.

Some victims of the Kaseya attack, on the basis of availability of backups and for the sake of business continuity, had made the decision to engage with REvil. Some would have been part way through negotiations and others would have already paid the ransom. Not only are the dark websites down, but so is the REvil background TOR network which hosts the chat function, helpdesk and payment platform. Consequently, the most sensitive decision to move a business towards recovery has been thwarted, resulting in a potential full loss of an organisation’s data that had already run out of options.

The ‘happy blog’ was a dark web (and at times, clear-net) site used to leak sensitive documents of their victims. For those who had data published in full, the picture is most likely the clearest. The organisation could be expected to have undertaken the relevant assessments under the GDPR and moved to notify impacted data subjects.

For those aware of data exfiltration through either a ‘happy blog’ preview or the logs, it presents an unusual dichotomy. How does the risk assessment under the GDPR change now that the threat actor has disappeared? When data is exfiltrated from a victim’s servers, a personal data breach, as defined under the GDPR, may have occurred. The exfiltration would constitute a loss of or unauthorised disclosure of that personal data therefore making it necessary to consider the impact on the rights and freedoms of individual data subjects. REvil’s servers are likely to contain swathes of exfiltrated data meaning that their down time may require organisations to reconsider their assessment of the risk posed by publication.

Notwithstanding the above, REvil’s disappearance does not negate the risk entirely and data may have already been disseminated across other forums. The takedown of servers may assist in the wider communications piece with data subjects and provide some reassurance, but victims should be careful in relying too heavily on the disappearance.

Notably, other organisations who have been taken down have resurfaced with a vengeance. In March 2021, PYSA, a group that has been condemned for targeting a number of educational institutions disappeared and then returned shortly thereafter with the publication of victim’s data from as far back as mid-2020. In the fight against ransomware, a disappearing variant is not one to be celebrated too widely and victims should avoid placing too much reliance on events such as these, or risk being burned a second time.


Cameron Carr

Cameron Carr

London - Walbrook

+44(0)20 7894 6217

< Back to articles