Lawfare: REvil Is Down—For Now

11/16/2021 | Dmitri Alperovitch and Ian Ward

In a new piece for Lawfare, Silverado's Dmitri Alperovitch and Ian Ward dissect the cyber operations that led the ransomware gang REvil to go offline, and tease out the lessons that the U.S. can learn from these successful operations:

"What lessons can be drawn from these two operations and their success—at least for now—in driving REvil offline? It’s too simplistic to say that offensive cyber operations work. While disruption campaigns are certainly helpful in obstructing ransom groups’ day-to-day operations, Cyber Command’s offensive campaign alone was evidently not sufficient to prompt REvil to go offline. What that operation appears to have done is to alert the group that their Tor keys had been stolen, triggering their ultimate discovery of the earlier covert intrusion. Ironically, it was REvil’s discovery of that intrusion—which the foreign partner had gone to some lengths to hide—that finally prompted them to go offline.

In retrospect, the reason why is obvious. What all criminals—cyber or otherwise—fear most is losing their liberty after being discovered and arrested. In this case, 0_neday’s statement that “they are looking for me” tells us everything we need to know about ransomware criminals’ psychology: The credible threat of losing their freedom and money outweighs the unrealized benefits of continued criminal activity, especially if the criminals in question have already earned millions of dollars in illicit gains."

Read their full analysis here.