Security researchers are reporting that all of the dark web sites for prolific ransomware group REvil — including the payment site, the group’s public site, the ‘helpdesk’ chat and their negotiation portal — are offline.
It is still unclear what caused the outages but dozens of theories were floated online. On Friday, US President Joe Biden made news when he said he spoke directly to Russian President Vladmir Putin following REvil’s massive ransomware attack on Kaseya that affected almost 1,500 organizations.
“I made it very clear to him that the United States expects when a ransomware operation is coming from his soil, even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is,” Biden said.
“And secondly, we’ve set up a means of communication now on a regular basis to be able to communicate with one another when each of us thinks something is happening in another country that affects the home country. And so it went well. I’m optimistic.”
White House officials are expected to meet with members of the Russian government to discuss ransomware this week.
While some security researchers believe the group may have taken their own websites down, either because of internal squabbles or fear over increased law enforcement scrutiny, others think it may be the result of official actions taken by government agencies.
“We all want to believe it is law enforcement, but this is a pretty extensive takedown across multiple providers,” said Allan Liska, a ransomware expert and CSIRT at Recorded Future.
“This early on the more likely scenario is that it is a self-directed takedown. But I wouldn’t rule out ‘self-directed after a conversation with the Kremlin.’ We’ve been speculating about this since the Kaseya attack: Biden gets a win because a major ransomware gang is gone, Putin gets a win because he ‘helped’ and REvil gets to keep all of their money (and their heads). The timing, the day before the next ransomware summit tomorrow, also lines up. But, that is all speculation.”
Jake Williams, CTO at BreachQuest, added that Ransomware gangs operating in Russia “were on borrowed time the second Colonial was hit,” explaining that the Russian government didn’t care about the cybercrime occurring within its borders as long as it didn’t impact Russia itself.
“That has clearly changed – the Russian government can clearly see they are being impacted by the actions of these actors. Whether REvil was taken out of commission by the Russian government, saw the writing on the wall and took infrastructure down, is simply rebranding like so many groups have (likely including REvil itself), or something else is unknown at this point,” Williams said.
The Digital Shadows Photon Research Team has been scouring Russian-language forums for chatter about the outage and said that while discussion is limited, “some threat actors have speculated that even if law enforcement agencies have successfully targeted REvil, this will not spell the end of the group’s activities.”
“Some predicted that the group will reappear under another name or split into smaller groups to attract less attention,” the team said.
“The inaccessibility of the REvil ransomware group’s websites is unusual because the group’s infrastructure has historically been more stable than that of other ransomware groups. The outage could be down to temporary technical issues or upgrades, or it could signify a law enforcement disruption of the group’s operations. REvil’s representatives have not appeared on high-profile Russian-language cybercriminal forums for several days.”
Others, like Check Point Software spokesperson Ekram Ahmed, compared the situation to the DarkSide ransomware group, which shut down its operations in May after their attack on Colonial Pipeline drew global headlines and outrage in the US. DarkSide also saw some of its infrastructure disrupted by US law enforcement agencies after the attack.
“Though it might be too early to celebrate, another viable possibility is that the ransomware gang has decided to lay low, given all the attention and spotlight they’ve underwent recently from the Kaseya, Colonial Pipeline and JBS attacks,” Ahmed explained.
“It’s possible that REvil has gone into ‘retirement’, or at least a temporary one, as they did with the GandCrab ransomware a few years ago.”
REvil has attacked at least 360 US-based organizations this year, according to Emsisoft threat analyst Brett Callow. The RansomWhere research site says the group has brought in more than $11 million this year, with high profile attacks on Acer, JBS, Quanta Computer and more.
Egnyte cybersecurity evangelist Neil Jones said people should be wary of celebrating the group’s potential downfall because new ransomware infrastructure can be brought online quickly.
Steve Moore, chief security strategist at Exabeam, theorized that the outage “could be criminal maintenance, planned retirement, or, more likely, the result of an offensive response to the criminal enterprise.”
“If the outage is the result of an offensive response, this then sends a new message to these groups that they have a limited window in which to work,” Moore said. “Furthermore, if a nation responds to criminals backed by and hosted in another country, this will change the definition of risk for affected private organizations.”