Kacper Pempel / Reuters
The websites managed on the dark internet by the cybercriminal group REvil, responsible for a gigantic
ramsonware
attack
which has affected hundreds of companies around the world in recent days, became suddenly inaccessible on Tuesday, according to several cybersecurity experts.
The incident comes after US President Joe Biden suggested last Friday that his country could crack down on attacks carried out from Russian servers.
The cybercriminal group, also known as Sodinokibi, had collected tens of millions of dollars in ransom payments in exchange for restoring sabotaged computer systems, Reuters reported.
The attack began on July 2 when hackers infiltrated technology company Kaseya, which provides network management services, and used its systems to spread the malicious program.
The virus has since reached between 800 and 1,500 companies, mostly in the United States.
the
ransomware
it is
a type of
malicious
software
that restricts access to a computer system until a ransom is paid.
More information
Dark internet guide
The lucrative business behind the ransomware payments
The New York Times
establishes three hypotheses about the sudden disappearance of the pages of REvil. The first is that President Biden has ordered the United States cyber command, which works with agencies such as the FBI, to tear down the pages of the cybercriminal group. The second is that the blackout of the websites has been ordered by Russian President Vladimir Putin, as a gesture after Biden's warnings, and on the eve of a bilateral commission to discuss cyberattacks. The third is that the criminal group itself has decided to temporarily erase itself from the internet so as not to fall into the crossfire between the two presidents. That is what DarkSide, another group based in Russia, responsible for the attack on the Colonial Pipeline oil pipeline that paralyzed much of the fuel supply on the east coast of the United States last May.
"It is actually difficult to know why they have disconnected," explains Igor Unanue CTO of the cybersecurity company S21Sec. “It is likely that they are only updating their systems, you cannot know what has happened until they explain it themselves, if they do. There are many groups that disconnect and come back again ”, he says. Unanue assures that this cyber attack has been the third most serious so far this year, among the groups that publish their activities on the internet. "Cyberattacks are increasingly harmful," he says. "Before the ransonware was intended to demand a ransom, now it is also blackmailed with confidential data and can be a method of industrial espionage."
Alba Villalba, a specialist in the area of cyber intelligence, explains that tracking the program does not allow us to know who are the people behind the criminal action, because it can be commissioned. "REvil has deployed the attack, but they may have rented the program," he says. In the case of Kaseya “they have not attacked the companies themselves, but they have attacked a service provider, they have been infected with this software and through a chain of infections they have managed to reach hundreds of companies. Clearly the objective is economic, but that does not mean that they can count on state sponsorship ”, he says.
Kurtis Minder, founder of the cybersecurity firm GroupSense, said that if the blackout of the pages was due to an action by the United States, that would raise some worrisome questions. "If it was an organized cyber offensive, I hope they have considered the possible collateral damage," he said in statements quoted by Reuters. Cybercriminals seize the keys to their victims' encrypted data and if these keys have been lost or destroyed "many companies will have a hard time recovering."
"There are indications that REvil was the victim of the planned dismantling of its infrastructure, either by the operators themselves, or by the industry, or by the authorities," said John Hultquist, from the Mandiant Threat Intelligence company, in a message. to AFP.
A recent report by IBM Security X-Force identified Sodinokibi as the most powerful group of
ransomware
cybercriminals,
blaming
it for 29% of such cyber attacks in 2020.
You can follow EL PAÍS TECNOLOGÍA on
and
or sign up here to receive our
weekly newsletter
.
