REvil Ransomware Websites Disappear Fueling Speculation of Law Enforcement Takedown

The notorious REvil ransomware gang’s Internet and dark web sites have suddenly gone offline, days after President Biden called Vladimir Putin demanding action be taken against ransomware gangs and other cybercriminals conducting attacks from within Russia on U.S. companies.

At around 1 a.m. on Tuesday, the websites used by the gang for leaking data of ransomware victims, their ransom negotiation chat server, and command and control infrastructure went offline and have remained offline since. For one of the gang’s sites, the server IP address is no longer resolvable via DNS queries.

REvil has grown into one of the most prolific ransomware-as-a-service operations. The gang was behind many ransomware attacks in the United States and worldwide, including the recent attack on JBS Foods and the supply chain attack on Kaseya, which saw ransomware used in attacks on around 60 managed service providers and up to 1,500 of their clients on July 2. A ransom demand of $70 million was issued to supply the keys to decrypt all victims’ devices, with the demand falling to $50 million shortly after.

While it is not unusual for ransomware operations to go quiet, or for infrastructure to be temporarily taken offline, the timing of the shutdown suggests either the U.S. or Russian government has taken action. The FBI has not commented on the shutdown of the REvil servers, and the press secretary of the president of the Russian Federation, Dmitry Peskov, told TASS reporters that he had no knowledge of the reason why the servers had gone dark. It is possible that the loss of infrastructure is due to hardware failure or simply the gang deciding to lay low, especially after such a major attack.

Ransomware gangs have faced a great deal of scrutiny following the attack on Colonial Pipeline by the DarkSide ransomware gang. Shortly after the attack, the White House announced that efforts to target ransomware gangs and their infrastructure would be stepped up. Following the attack, the DarkSide RaaS operation shut down, due to a silent takedown of their infrastructure by law enforcement.

At the Geneva summit, President Biden spoke with Vladamir Putin about cyberattacks conducted on U.S. companies from cybercriminal groups operating within Russia and urged him to take steps to disrupt the gangs, even though the attackers were not sponsored by the state.

A few days ago, President Biden called Putin demanding action be taken against ransomware gangs operating out of Russia. Biden told reporters after the call that the United States would be taking steps to get the servers of ransomware gangs taken down if Russia did not.

Some news outlets, such as the BBC, have reported the shutdown was due to action taken by the United States to disrupt the group’s infrastructure. A BBC reporter spoke to one individual, allegedly an REvil affiliate, who said the group had shut down its infrastructure following a partial takedown by federal law enforcement and increasing pressure from the Kremlin.

Bitali Kremez of Advanced Intel said “Upon uncorroborated information, REvil server infrastructure received a [Russian] government legal request forcing REvil to completely erase server infrastructure and disappear. However, it is not confirmed.”

It is too early to tell what has happened and whether the shut down will be temporary or permanent. As is often the case following the shutdown of a Ransomware-as-a-Service operation, the gang may simply return under a different name, as REvil has done in the past.

This story will be updated as further information becomes available.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.