After causing international mayhem, a notorious cybercrime group appears to have disappeared.
The ransomware gang REvil, whose operators are believed to reside in Russia, has been tied to two of this year’s most disastrous ransomware attacks. In May, the gang successfully hacked large meat supplier JBS (one of America’s largest sources of beef and pork), subsequently extorting $11 million out of the company. Then, about a week ago, the gang claimed responsibility for the attack on global IT supplier Kaseya, demanding $70 million in exchange for a decryption key that would unlock all victims’ data.
Yet REvil’s luck may have run out. Sometime around 1 a.m. on Tuesday, all online traces of the gang weirdly seemed to vanish from the internet. Security professionals began commenting on Twitter that the gang’s websites appeared to be down. In particular, the group’s “leak site”—which REvil has typically used to extort ransoms from victims using data stolen during attacks (and which the gang sardonically dubbed its “Happy Blog”)—has been taken offline.
“All REvil sites are down, including the payment sites and data leak site,” said Lawrence Abrams, security researcher and owner of BleepingComputer. “The public ransomware gang represenative [sic], Unknown, is strangely quiet,” he added, referring to the group’s equivalent of a PR liaison.
The disappearance comes a little more than a week after the gang’s alleged attack on Kaseya, which affected some 1,500 businesses worldwide. As of Tuesday, nobody has yet paid REvil’s demand of a $70 million ransom, which leaves the many hundreds of businesses reportedly affected by the attack in limbo.
While it’s currently unclear why the group has gone AWOL, there are some theories circulating as to what may have happened to the group. The primary ones are as follows:
- They were hacked by a Russian law enforcement agency
- They were hacked by a U.S. law enforcement agency
- They decided to go underground for some unknown reason
Let’s start with the first possibility. The downing of REvil’s sites has occurred less than a week after President Joe Biden reportedly had a terse talk with Russian President Vladimir Putin during which he asked the Russian leader to crack down on ransomware hackers operating from within his nation’s borders. Did Putin finally heed Biden’s call to hold Russian cybercriminals responsible? Did REvil’s servers get fried by some cyber cell of the FSB? It’s possible, but we just don’t know at this point.
Another possibility is that that a U.S. agency may have targeted the gang. The New York Times has suggested that Biden may have “ordered the United States Cyber Command, working with domestic law enforcement agencies, including the F.B.I., to bring it [REvil] down.” If that were the case, the incident would seem to follow a similar trajectory to the one involving DarkSide—the ransomware gang that was responsible for attacking Colonial Pipeline. After extorting a $5 million ransom from Colonial in May, DarkSide suffered an apparent attack on its infrastructure. The group then dropped from view, leaving only a PSA on a dark web forum explaining that it had been targeted by an “unknown law enforcement agency” and that it had thus “closed” its business.
In DarkSide’s case, it was assumed that the gang’s infrastructure had been targeted by a U.S. law enforcement agency—a theory that later seemed to be validated somewhat by news of an FBI operation to track and then seize large portions of the ransom that Colonial paid to the hackers. So... is that what happened to REvil? Again, as of right now, we just don’t know.
Finally, it’s also possible that REvil decided to go underground for some unknown reason, though it seems odd for the gang to do this while still haggling with victims from its Kaseya operation—and before it had secured its $70 million payout. Some security researchers on Twitter have pointed out that ransomware sites do routinely go offline but will usually come back online within a short period of time. Others have argued that this incident seems to be a little different.
In short: We don’t know, we don’t know, we don’t know. As with so much else in the world of cybercrime, there just isn’t enough information publicly available to understand why this event occurred. However, if REvil was hacked by a law enforcement entity, something tells me we’ll have an update on the situation fairly soon.