REvil, the infamous ransomware cartel behind some of the biggest cyber attacks targeting JBS and Kaseya, has mysteriously vanished from the dark web, leading to speculation that the criminal enterprise may have been suppressed.
Several darknet and clearnet sites operated by the Russia-linked Cybercrime Syndicate, including data breach, extortion and payment portals, remained inaccessible, displaying an “Onionsite not found” error message.
The group Tor network infrastructure on the dark web consists of a data breach blog site and 22 data hosting sites. It’s not immediately clear what prompted the infrastructure to go offline.
REvil is one of the most prolific ransomware-as-a-service (RaaS) groups that first appeared on the threat landscape in April 2019. It is an evolution of the Ghent crab ransomware, which hit underground markets in early 2018.
“If REvil has been permanently disrupted, it will mark the end of a group that has been responsible for more than 360 attacks on the public and private sectors of the United States this year alone,” said Brett Callow of Emsisoft. tweeted.
The sudden development comes close on the heels of a large-scale supply chain ransomware attack intended for tech service provider Kaseya, for which REvil (aka Sodinokibi) took responsibility and demanded a ransom of $ 70 million to unlock access to encrypted systems in exchange for a universal decryption key that would unlock all data the victims.
The disastrous attack saw the ransomware gang encrypt approximately 60 Managed Service Providers (MSPs) and more than 1,500 downstream companies using a zero-day vulnerability in Kaseya VSA remote management software. In late May, REvil also orchestrated the attack on the world’s largest meat producer JBS, which ended pay $ 11 million extortionists to recover from the incident.
The outage also coincides with that of US President Joe Biden phone call with Russian President Vladimir Putin last week urging him to take action to disrupt ransomware groups operating in the country, while warning of retaliatory measures to defend critical infrastructure.
“The situation is still ongoing, but the evidence suggests that REvil has suffered a planned and simultaneous withdrawal of its infrastructure, either by the operators themselves, or through industry or law enforcement measures,” said said John Hultquist of FireEye Mandiant. Told CNBC.
It looks like REvil’s Happy Blog went offline around 1:00 a.m. EST Tuesday, along with vx-underground noting that the group’s public representative, Unknown, hasn’t posted on popular hacking forums such as Exploit and XSS since July 8.
Subsequently, a representative of the LockBit ransomware posted at Russian-speaking XSS hacking forum that REvil’s attack infrastructure received a legal request from the government, causing the servers to be dismantled. “REvil is banned from XSS”, vx-underground added later.
It is not uncommon for ransomware groups to infiltrate after high profile incidents. After the DarkSide gang targeted Colonial Pipeline in May, operators ad is considering shutting down its RaaS affiliate program for good, claiming its servers have been seized by an unknown law enforcement agency, raising questions as to whether the group has actually retired or has been renamed under a new name.
This theory was finally validated when the US Department of Justice revealed last month, he was able to recover most of the money paid by Colonial Pipeline to the DarkSide group thanks to an analysis of the bitcoin tracks.
REvil’s unexplained shutdown, similarly, can just as easily be a case of planned retirement, or a temporary setback, forcing it to seemingly disband only to eventually come together under a new identity in order to attract less attention. , or may have been the consequence. increased international surveillance following a global ransomware crisis.
If it turns out that the group has definitely closed its activities, this decision will inevitably leave the targets of the group aside, without a viable means of negotiating ransoms and obtaining the decryption keys necessary to regain control of their systems. , so definitely lock them out of their data.
“I don’t know what that means, but whatever, I’m happy!” tweeted Katie Nickels, Director of Intelligence at Red Canary. “If this is a government withdrawal – great, they are taking action. If the actors have voluntarily been silent – excellent, maybe they’re scared.”