Ransomware Giant REvil’s Sites Disappear

[silversurfer]

All of REvil’s Dark Web sites slipped offline as of early Tuesday morning, and it’s not clear whether it’s due to the ransomware gang getting busted or whether the threat actors did it on purpose.
 
The REvil ransomware operation, a.k.a. Sodinokibi, uses both clear web and Dark Web sites to negotiate ransoms, leak data, support its backend infrastructure and receive payment from its many victimized organizations. That victims list has recently grown with the addition of Kaseya and its many managed service provider (MSP) customers, as well as the global meat supplier JBS Foods,

All of REvil’s sites went offline as of around 1 a.m. It doesn’t mean that the notorious gang has been shut down, as one cybersecurity expert emphasized – it’s just that all its sites were unreachable, up until at least Tuesday at 2:55 p.m. EDT.
 
One possibility: It could be that the U.S. shut down the servers. Then again, perhaps it was the Russian government. The timing would make sense, given the White House’s saber-rattling at Russia over the ransomware plague. The silenced servers come just a few days after President Biden called President Vladimir V. Putin of Russia and demanded that he shut down ransomware groups attacking American targets.
 
If you don’t, we will, Biden said. On Friday, when a pool of reporters asked the president if the U.S. might attack the servers that Russia-linked cybercriminals have used to hijack American networks, he said, “Yes.”
 
Jake Williams, co-founder and CTO at BreachQuest, told Threatpost that it’s all just speculation at this point, but ransomware gangs operating in Russia “were on borrowed time the second Colonial was hit.” He was referring to the ransomware attack on Colonial Pipeline leading up to Memorial Day Weekend: An attack that was attributed to the ransomware-as-a-service (RaaS) player DarkSide.
 
“The Russian government didn’t care about the cybercrime occurring within its borders, but only so long as it didn’t impact Russia itself,” Williams said in an email. “That has clearly changed – the Russian government can clearly see they are being impacted by the actions of these actors. Whether REvil was taken out of commission by the Russian government, saw the writing on the wall and took infrastructure down, is simply rebranding like so many groups have (likely including REvil itself), or something else, is unknown at this point.”

Read more: Ransomware Giant REvil Disappears | Threatpost