REvil Ransomware Websites Ceased to Exist Fueling Questions of Law Enforcement Takedown

The infamous REvil ransomware gang’s Internet and dark sites have unexpectedly vanished, days right after President Biden called Vladimir Putin to do something against ransomware groups and other cyber criminals executing attacks from inside Russia on U.S.A. businesses.

At about 1 a.m. on Tuesday, the web pages that the gang uses for leaking data files of ransomware victims, their command and control system, and their ransom negotiation chat server disappeared and have continued to be offline from that time on. For one of the group’s web pages, the server IP address cannot be resolved through DNS queries.

REvil has become one of the high-profile ransomware-as-a-service operations. The gang was associated with lots of ransomware attacks in the U.S.A. and around the world, such as the new attack on JBS Foods and the supply chain attack on Kaseya. Ransomware was employed in attacks on approximately 60 managed service providers (MSPs) and approximately 1,500 of their clients on July 2. A $70 million ransom demand was set to give the keys to decrypt the victims’ files, with the demand going down to $50 million right after.

Though it is not strange for ransomware operations to proceed quietly, or for systems to be momentarily taken out, the timing of the shutdown implies either the U.S. or Russian government has made a move. The FBI hasn’t said anything on the REvil servers shut down, and the press secretary of the president of the Russian Federation, Dmitry Peskov, advised TASS reporters that he didn’t know the rationale what happened to the servers. It is likely that the loss of the system is because of hardware breakdown or basically the gang making a decision to lay low, specifically after such a serious attack.

Ransomware gangs have encountered a good deal of scrutiny subsequent to the DarkSide ransomware group’s attack on the Colonial Pipelin. Soon after the attack, the White House reported that attempts to target ransomware groups and their infrastructure will be intensified. Subsequent to the attack, the DarkSide RaaS operation closed down, as a result of the law enforcement’s subtle takedown of their infrastructure.

At the Geneva summit, President Biden chatted with Vladamir Putin concerning cyberattacks done on U.S. businesses from cybercriminal groups working within Russia and told him to take action to break up the gangs, even if the attackers weren’t state-sponsored.

A few days ago, President Biden talked with Putin demanding action against ransomware gangs working outside of Russia. Biden stated to reporters right after the call that the U.S. is going to make a move to take down the ransomware gangs’ servers if Russia failed to.

A number of news outlets, like the BBC, have announced the shutdown was a result of action undertaken by the U.S.A. to cut off the group’s system. A BBC reporter chatted with one person, presumably an REvil affiliate, who mentioned the group had closed its infrastructure right after a partial takedown by federal authorities and growing pressure from the Kremlin.

Bitali Kremez of Advanced Intel stated that according to uncorroborated facts, REvil server infrastructure acquired a [Russian] government legal request pressuring REvil to fully get rid of server infrastructure and go away. Nonetheless, it isn’t confirmed.

It is very premature to tell what has occurred and if the shutdown will be short-lived or long-term. As is usually the case right after shutting down a Ransomware-as-a-Service operation, the gang may merely come back with another name, as REvil did before.