Russian cyber gang REvil, blamed for global ransomware attack, disappears

By: Will F.

REvil, the Russia-linked cyber gang blamed earlier this month for a massive ransomware attack that affected hundreds of businesses globally, has vanished from the web.

As of Tuesday morning, the group’s public website, the dark-web site the gang used to facilitate its ransom negotiations and the site that victims used to pay the ransom fees were all offline, multiple cybersecurity analysts said.

It’s not clear what led to the Russia-linked ransomware-as-a-service group’s websites going dark.

But the sudden outage came just days after President Biden said he pressed Russian President Vladimir Putin to act against hackers that are operating from Russia.

“I made it very clear to him that the United States expects when a ransomware operation is coming from his soil, even though it’s not sponsored by the state, we expect him to act,” Biden told reporters last week after a call with Putin.

Ransomware attacks, often orchestrated by Eastern European hacking groups, have surged over the past 18 months as the pandemic and work-from-home accommodations have made businesses especially vulnerable to cybercrime.

Last month, JBS Foods, the world’s largest meat supplier, was hit by a ransomware attack that the FBI accused REvil of orchestrating. JBS eventually paid an $11 million ransom to resolve the attack, which threatened to disrupt US meat supply.

And earlier this month, REvil claimed to be behind a sweeping ransomware attack that disrupted operations at hundreds of companies around the world. The hackers targeted software company Kaseya and demanded $70 million in Bitcoin as ransom.

Rep. John Katko, the top Republican on the House Homeland Security Committee, called the attack a “moment of reckoning” in US-Russia relations.

“Only weeks after President Biden sat down with Putin and allegedly talked a tough game with Russia, hackers from Russia again attacked thousands of U.S. companies, compromising our nation’s critical infrastructure,” the top-ranking House Homeland Security Committee Republican said.

“Adversaries like Russia are creating safe havens for bad actors and we must project strength,” the New York lawmaker added.

The sites linked to REvil could have gone dark for a variety of reasons, cybersecurity analysts said. It’s unclear if the group took their own sites down or whether law enforcement from any country intervened.

Last week, after Biden said that the US expects Russia to act against the group, a reporter asked Biden if he would take down the group’s servers if Putin failed to.

“Yes,” the president said.

In addition to REvil’s websites, “all of their infrastructure” used to control their hacking operations is also dark, Allan Liska, an intelligence analyst who tracks ransomware for the cybersecurity firm Recorded Future, told Politico.

The REvil episode comes after another ransomware gang that was believed to be based in Russia, DarkSide, attacked Colonial Pipeline, spurring gas shortages and panic buying across the Southeast US in May.

The company that operates the pipeline paid about $4.3 million in ransom to the group, but the Justice Department announced last month that it was able to recover the payment and shutter the group.