Sites and ransomware portals used by Russian hacking gang REvil to attack US businesses mysteriously vanish from the dark web just days after Biden urged Putin to take action
The Russia-based criminal syndicate behind a devastating series of recent ransomware attacks on US businesses is now mysteriously offline just days after President Biden urged Russian leader Vladimir Putin to take action.
REvil's dark web data-leak site and ransom-negotiating portals have both been unreachable since about 1am on Tuesday.
Cybersecurity experts, however, said that it was premature to speculate why and that there was no indication of a law enforcement takedown.
REvil, also known as 'Ransomware evil', was responsible for the Memorial Day ransomware attack on the meat processor JBS and the supply-chain attack this month targeting the Miami-based software company Kaseya that crippled well over 1,000 businesses globally.
The Russia-based criminal syndicate behind a devastating series of recent ransomware attacks on US businesses is now mysteriously offline just days after President Biden urged Russian leader Vladimir Putin to take action
Biden told Putin on a call Friday that he needed to rein in attacks from Russia-based groups and warned that the US had the right to defend its people and critical infrastructure from attacks.
There were no immediate or public signs that the government had anything to do with REvil appearing offline.
Vanishing acts are common in the ransomware world where gangs tend to disappear and rebrand when they begin attracting too much heat.
Threat researcher Ryan Sherstobitoff of SecurityScorecard said it was also possible that the group was laying low after the attack or switching methods 'as we did expose them'.
Sean Gallagher, a threat researcher at the cybersecurity firm Sophos, added: 'It could be that the server hardware failed, or that it was intentionally taken down, or that someone attacked their host.'
He noted that REvil's public ransom-negotiating site was also down last week.
Spokespeople for the White House and US CyberCommand, the Pentagon's cyber arm, declined to comment on Tuesday about REvil going dark.
REvil, also known as 'Ransomware evil', was responsible for the Memorial Day ransomware attack on the meat processor JBS
'We have seen no indicators for either voluntary shutdown nor of any offensive steps from law enforcement,' said Alex Holden, founder and chief information security officer of Hold Security.
'Right now, perhaps, it is too early to speculate, especially as REvil was building up their strength over the recent months.
'There is always a glimmer of hope that Russia is finally doing something right.'
Ransomware variants have previously disappeared as the criminals behind them retooled and modified their malware before introducing it under a new guise.
That is what threat analysts believe happened with a precursor to the REvil ransomware-as-a-service software called Gandcrab.
It was the most successful variant over a 15-month run that began in January 2018.
REvil has claimed responsibility for a series of attacks on US businesses this year alone.
The unprecedented attack targeting the Miami-based software firm Kaseya, which was reported July 2, affected an estimated 1,500 businesses globally.
The Kaseya attack shut down a major Swedish supermarket chain and ricocheted around the world, impacting businesses in at least 17 countries, from pharmacies to gas stations, as well as dozens of New Zealand kindergartens.
Meanwhile, the attack on JBS saw America's largest beef supplier end up paying an $11 million ransom in Bitcoin to the hackers who shut down its plants.
JBS learned of the attack early on May 30 after discovering 'irregularities' on its servers and a ransom note.
The hack threatened to disrupt meat supplies across the United States over Memorial Day weekend.
REvil was also behind the supply-chain attack this month targeting the software company Kaseya that crippled well over 1,000 businesses globally
