REvil's Infrastructure Goes OfflineResearchers Question Why the Ransomware Gang's Sites Went Dark
The REvil, aka Sodinokibi, ransomware gang's infrastructure, including its darknet sites, were offline Tuesday, numerous security specialists report. The reason for the sudden disappearance is far from clear.
"All of their sites have been down since around 1 a.m. EST (8 a.m. Moscow Time). So, not just their extortion site, but their payment sites, chat server and [command-and-control] infrastructure," Allan Liska, an intelligence analyst at Recorded Future, tells Information Security Media Group.
It's not clear why REvil's infrastructure, including the gang's Happy Blog leak site, vanished from the internet. A law enforcement takedown, internal technical issues or a possible power struggle within the group all could be factors.
"Different groups have historically had stability woes, which isn't surprising given the way they operate. While it's possible it's law enforcement, it's also very possible they've had an internal falling out again (another admin pulled plug), hardware failures, etc.," tweeted Kevin Beaumont, head of the security operations center for Arcadia Group.
"REvil websites are reportedly down. One possibility is a silent takedown, similar to what happened in the DarkSide situation, where hackers were silently taken offline by the feds," says the security firm Check Point. "Though it might be too early to celebrate, another viable possibility is that the ransomware gang has decided to lay low, given all the attention."
Principal Deputy White House Press Secretary Karine Jean-Pierre said she had no information when asked about the disappearance of the Russian gang's site during a trip Tuesday by President Joe Biden to Philadelphia.
Check Point Research says it has tracked about 15 REvil-related attacks per week for the last two months within the U.S., Germany, Brazil and India.
Liska of Recorded Future also points out that REvil's primary spokesperson, who goes by the handle "Unknown," has also gone quiet.
"Unknown has not been active on any of the underground forums since last Thursday," Liska says. "While it is too early to say for sure what has happened, the longer the infrastructure remains down, the more it looks like a takedown - whether self-directed or by law enforcement will remain to be seen."
Jake Williams, a former member of the National Security Agency's elite hacking team, observes: "Ransomware gangs operating in Russia were on borrowed time the second Colonial Pipeline was hit. The Russian government didn’t care about the cybercrime occurring within its borders, but only so long as it didn’t impact Russia itself," says Williams, the co-founder and CTO at the incident response firm BreachQuest.
The FBI and Justice Department did not immediately reply to a request for comment.
REvil, which appears to be based in or near Russia, has been tied to several recent high-profile ransomware attacks, including the July 2 attack against the remote management software firm Kaseya and the June attack against the meat processing company JBS.
U.S. President Joe Biden on Friday repeated a demand to Russian President Vladimir Putin, previously voiced at their Geneva summit in mid-June, that Russia crack down on ransomware-wielding criminals operating inside its borders.
Biden said the government is prepared to take "any necessary action to defend its people and its critical infrastructure in the face" of these attacks, according to the official readout posted by the White House.
"I made it very clear to him that the United States expects when a ransomware operation is coming from his soil even though it's not sponsored by the state, we expect them to act if we give them enough information to act on who that is," Biden told reporters, adding that there would be consequences for Moscow if it doesn't act.
The Kaseya attack targeted the company's on-premises Virtual System Administrator, leading to ransomware attacks on 60 of its managed service provider customers and up to 1,500 of their clients.
The JBS attack led the company to shut down facilities in North America and Australia. The company paid an $11 million ransom for the promise of a decryption tool and a guarantee from REvil that it would not leak stolen data.