Ransomware Isn’t Back. It Never Left

After months of dramatic escalations, two prominent Russia-based ransomware gangs, REvil and Darkside, went quiet for weeks this summer. The pause came as the White House and US law enforcement pledged to combat ransomware and stand up to governments that seemingly offer “safe harbor” to even the most reckless gangs. That lull has officially ended. 

REvil and Darkside launched devastating attacks in the first half of the summer against the well-positioned IT services company Kaseya, the east coast Colonial Pipeline fuel distribution system, and global meat provider JBS among others. As the impacts mounted, and fresh off of committing to a public-private ransomware task force at the end of April, US law enforcement sprang to action. In June, the FBI traced and seized more than $4 million-worth of cryptocurrency that Colonial Pipeline paid to Darkside. And The Washington Post reported this week that the FBI seized the decryption key from REvil servers for the Kaseya ransomware, but didn’t release it so they could pursue an operation against the gang’s infrastructure. REvil abruptly went offline before officials could act on the plan.

White House deputy national security adviser Anne Neuberger even noted at the beginning of August that BlackMatter—an apparent successor to Darkside with technical similarities—had committed to avoid critical infrastructure targets in its attacks. She suggested that the Kremlin might be heeding requests and warnings President Joseph Biden made about ransomware at the beginning of the summer. 

“We’ve noted the decrease in ransomware, and we think it’s an important step in reducing the risk to Americans,” Neuberger added earlier this month. “There could be a host of reasons for it, so we’re noting that trend and we hope that that trend continues.”

It seems unlikely. REvil and other gangs resurfaced after Labor Day weekend. Earlier this week, Russian hackers from BlackMatter launched a ransomware attack demanding $5.9 million from the Iowa grain co-op New Cooperative—a critical infrastructure target key to the US food supply. Meanwhile, on Monday the Cybersecurity and Infrastructure Security Agency, National Security Agency, and FBI issued a joint alert that they have observed more than 400 attacks total over time that use Conti ransomware, distributed by a Russia-based ransomware-as-a-service gang that was involved in last year’s rash of hospital attacks.

The US government is pushing forward with its overall ransomware response. On Tuesday, the Treasury Department said it would sanction the Suex cryptocurrency exchange for its alleged involvement in ransom laundering. The Treasury also said that all ransomware victims should contact the department before deciding to pay a ransom to avoid violating sanctions, a call that fits with the White House’s broader effort to get victims to disclose when they’ve been hit with ransomware. The US has no central dataset that reflects every attack, and companies often prefer to keep incidents quiet when possible.

Hackers seem ready and willing to adapt to US enforcement efforts. Some groups have begun proactively warning victims not to disclose attacks to a government, threatening to release stolen files if targets do report the situation. And the gangs may have simply used their time underground to strategize, regroup, and retool while the fallout from high-profile attacks blew over.

“This is absolutely a long game—as soon as you have one group say they’re gone, there’s one right behind them to step in,” says Katie Nickels, director of intelligence at the security firm Red Canary. “And even though in July and August it seemed like the numbers were maybe down, there were still daily attacks and victim data posted on dark web sites daily. So the good news is that the US government seems to be taking actions and making this a priority; it’s just too early to declare victory.”