Notorious Ransomware Gang REvil Mysteriously Disappears After Causing Global Havoc

After inflicting worldwide mayhem, a infamous cybercrime group seems to have disappeared.

The ransomware gang REvil, whose operators are believed to reside in Russia, has been tied to 2 of this yr’s most disastrous ransomware assaults. In May, the gang efficiently hacked massive meat provider JBS (one among America’s largest sources of beef and pork), subsequently extorting $11 million out of the corporate. Then, a couple of week in the past, the gang claimed duty for the assault on international IT provider Kaseya, demanding $70 million in alternate for a decryption key that might unlock all victims’ information.

Yet REvil’s luck might have run out. Sometime round 1 a.m. on Tuesday, all on-line traces of the gang weirdly appeared to fade from the web. Security professionals started commenting on Twitter that the gang’s web sites seemed to be down. In explicit, the group’s “leak site”—which REvil has usually used to extort ransoms from victims utilizing information stolen throughout assaults (and which the gang sardonically dubbed its “Happy Blog”)—has been taken offline.

“All REvil sites are down, including the payment sites and data leak site,” mentioned Lawrence Abrams, safety researcher and proprietor of BleepingComputer. “The public ransomware gang represenative [sic], Unknown, is strangely quiet,” he added, referring to the group’s equal of a PR liaison.

The disappearance comes just a little greater than every week after the gang’s alleged assault on Kaseya, which affected some 1,500 companies worldwide. As of Tuesday, no one has but paid REvil’s demand of a $70 million ransom, which leaves the numerous a whole lot of companies reportedly affected by the assault in limbo.

While it’s at present unclear why the group has gone AWOL, there are some theories circulating as to what might have occurred to the group. The major ones are as follows:

• They have been hacked by a U.S. regulation enforcement company
• They have been hacked by a Russian regulation enforcement company
• They determined to go underground for some unknown motive

Let’s begin with the primary risk. The downing of REvil’s websites has occurred lower than every week after President Joe Biden reportedly had a terse speak with Russian President Vladimir Putin throughout which he requested the Russian chief to crack down on ransomware hackers working from inside his nation’s borders. Did Putin lastly heed Biden’s name to carry Russian cybercriminals accountable? Did REvil’s servers get fried by some cyber cell of the FSB? It’s doable, however we simply don’t know at this level.

Another risk is that {that a} U.S. company might have focused the gang. The New York Times has suggested that Biden might have “ordered the United States Cyber Command, working with domestic law enforcement agencies, including the F.B.I., to bring it [REvil] down.” If that have been the case, the incident would appear to comply with an identical trajectory to the one involving DarkSide—the ransomware gang that was answerable for attacking Colonial Pipeline. After extorting a $5 million ransom from Colonial in May, DarkSide suffered an obvious assault on its infrastructure. The group then dropped from view, leaving solely a PSA on a darkish internet discussion board explaining that it had been focused by an “unknown law enforcement agency” and that it had thus “closed” its enterprise.

In DarkSide’s case, it was assumed that the gang’s infrastructure had been focused by a U.S. regulation enforcement company—a principle that later appeared to be validated considerably by information of an FBI operation to trace after which seize massive parts of the ransom that Colonial paid to the hackers. So… is that what occurred to REvil? Again, as of proper now, we simply don’t know.

Finally, it’s additionally doable that REvil determined to go underground for some unknown motive, although it appears odd for the gang to do that whereas nonetheless haggling with victims from its Kaseya operation—and earlier than it had secured its $70 million payout. Some safety researchers on Twitter have identified that ransomware websites do routinely go offline however will often come again on-line inside a brief time period. Others have argued that this incident seems to be a little different.

In brief: We don’t know, we don’t know, we don’t know. As with a lot else on this planet of cybercrime, there simply isn’t sufficient data publicly accessible to grasp why this occasion occurred. However, if REvil was hacked by a regulation enforcement entity, one thing tells me we’ll have an replace on the state of affairs pretty quickly.