The well-known REvil ransomware gang’s Internet and dark websites have all of a sudden vanished, days following President Biden talked to Vladimir Putin demanding action against ransomware groups and other cybercriminals performing attacks from inside Russia on American firms.
At about 1 a.m. on Tuesday, the sites that the gang utilizes for leaking information of ransomware victims, their command and control facilities, and their ransom negotiation chat server disappeared and have stayed offline since then. For one of the group’s websites, the server IP address is not resolvable by way of DNS queries.
REvil has turned into one of the most respected ransomware-as-a-service operations. The gang was responsible for a lot of ransomware attacks in the U.S.A. and globally, which include the latest supply chain attack on Kaseya and the attack on JBS Foods. Ransomware was utilized in attacks on approximately 60 managed service providers (MSPs) and around 1,500 of their customers on July 2. A $70 million ransom demand was given to provide the keys to decrypt the victims’ data, with the ransom demand dropping to $50 million soon after.
Although it is not uncommon for ransomware operations to go quietly, or for infrastructure to be briefly taken down, the timing of the shutdown indicates either the Russian or U.S. government has done something. The FBI did not comment on the REvil servers shut down, and the press secretary of the president of the Russian Federation, Dmitry Peskov, said to TASS reporters that he did not know the explanation of what happened to the servers. It’s possible that the loss of the system is caused by hardware malfunction or merely the gang choosing to lay low, particularly after such a big attack.
Ransomware gangs have experienced quite a lot of scrutiny right after the DarkSide ransomware group’s attack on the Colonial Pipelin. Immediately after the attack, the White House declared that initiatives to target ransomware groups and their infrastructure will be escalated. Right after the attack, the DarkSide RaaS operation ceased, because of the law enforcement’s quiet control of their infrastructure.
At the Geneva summit, President Biden talked with Vladamir Putin regarding cyberattacks carried out on U.S. organizations from cybercriminal groups working inside Russia and advised him to do something to stop the gangs, although the attackers weren’t state-sponsored.
A couple of days ago, President Biden called Putin to take action against ransomware gangs working beyond Russia. Biden said to reporters right after the call that the U.S. is going to do something to shut down the ransomware gangs’ servers if Russia didn’t.
A few news outlets, for example, the BBC, have said the shutdown was because of action done by America to break up the group’s system. A BBC reporter talked to one person, purportedly an REvil affiliate, who mentioned the group had de-activated its infrastructure subsequent to a partial takedown by federal authorities and escalating tension from the Kremlin.
Bitali Kremez of Advanced Intel stated that based on uncorroborated data, REvil server infrastructure got a [Russian] government legal demand requiring REvil to entirely remove server infrastructure and vanish. Nevertheless, that is not confirmed.
It is quite premature to tell what has taken place and if the shutdown will be momentary or long-lasting. As is frequently the case right after the shutdown of a Ransomware-as-a-Service operation, the gang may just come back using a new name, as REvil did previously.