FORT WALTON BEACH — the web presence of a Russian-speaking ransomware gang whose victims during a recent and well-publicized spree included Fort Walton Beach-based space and contractor HX5 appears to possess gone dark.
The “Happy Blog,” a web location where the ransomware group REvil had been posting news of its digital conquests, including a claim that it exfiltrated 23 gigabytes of knowledge from HX5, has not been accessible for a couple of days.
HX5 provides an array of “research and development, engineering and technical services to the U.S. government,” consistent with its website. The company’s clients include the military, Navy, Air Force, and NASA, compatible with the website. Consistent with federal contracting data, HX5’s work has included involvement with unmanned air systems, programming, and providing advisory and assistance services to the Air Force, among an in-depth portfolio of defense and space work.
Previously: FWB contractor HX5 reportedly hacked by Russian ransomware gang REvil
The HX5 data held for ransom through REvil — which usually provides its ransomware services to interested clients and takes a percentage of any ransomware payment as its fee — is about five times the quantity of knowledge contained on a standard digital video disc and almost 1.5 times the quantity of random access memory during a typical laptop pc.
There has been no indication of what specific ransom demands may need to be made about the HX5 hack or for whom the hack may need to be done.
When the “Happy Blog” was accessible, it showed copies of knowledge taken from HX5, including income and other financial information for one high-level company official.
HX5 didn’t return phone calls seeking comment within the immediate aftermath of the ransomware attack, nor had anyone from the corporate responded as of Friday afternoon to a late Friday morning phone message.
On July 4, REvil attacked Miami-based software company Kaseya, which affected 1,500 of the company’s customers, including large businesses.
Brett Callow, a threat analyst with Emsisoft, a replacement Zealand-based anti-virus software company, said Friday that about all which will be determined definitively about REvil’s disappearance from the web is “that they’re gone for the instant .”
“Quite why they’re gone are some things nobody knows needless to say,” Callow said. “I suspect that either they decided it might be advisable to require an opportunity, and/or some pressure decreased on them from the govt which is believed to harbor them.”
Callow is skeptical of claims that REvil may need to be brought down through cybersecurity intervention from either the Russian or the U.S. government or another source. One reason for his view, Callow said, is “because all of their infrastructures vanished simultaneously … .”
Probing and attacking the ransomware group from outside likely would have resulted during a more piecemeal dismantling of its capabilities, he added.
Callow said it’s impossible to understand the fate of any of the info exfiltrated by REvil.
“Your guess is nearly as good as mine,” he said.
And while REvil appears to possess ceased its operations, the people involved may be reorganized into another ransomware enterprise.
“It happens all the time,” Callow said.
In the immediate aftermath of the REvil exploits, President Joe Biden warned Russian President Putin that the U.S. expects Russia to act on ransomware exploits that are found to be originating therein country. Furthermore, Biden said the U.S. could attack the pc servers employed by Russian ransomware groups, thus making them offline, consistent with a recent report within the NY Times.
Want more local news? If you’re already a subscriber, thank you! If not, please subscribe and help keep coverage of the top important local news coming.