REvil Ransomware Gang Mysteriously Disappeared, Rumors of Law Enforcement Action

REvil Ransomware Gang Mysteriously Disappeared, Rumors of Law Enforcement Action

REvil, the group responsible for many of the most notable attacks like those on JBS and Kaseya, has mysteriously disappeared from cyberspace. Several darknet and surface web sites run by Russia-linked cybercrime syndicates went offline on Tuesday.

The Tor network infrastructure, which includes 22 data hosting sites and one data leak blog, was offline on Tuesday.

REvil (aka Sodinokibi) is a highly-prolific ransomware group and one of the most notorious ones. It first appeared in April 2019 and uses a variant of the GandCrab ransomware that is known to have hit the underground markets in 2018.

“If REvil has been permanently disrupted, it’ll mark the end of a group which has been responsible for >360 attacks on the U.S. public and private sectors this year alone,” Emsisoft’s Brett Callow tweeted.

This news comes shortly after a wave of high-ptofile ransomware attacks carried out by REvil that encrypted over 1,500 businesses after the group compromised Kaseya software. The group demanded the highest ever ransom of $70 million to decrypt all the victims’ systems.

Earlier, in May, REvil carried out an extortion attack on the world’s biggest meat producer, JBS. The company eventually paid a ransom of $11 million.

Also the REvil’s disappearance coincides with U.S. President Joe Biden’s warning to launch a campaign to disrupt the operations of hacker gangs operating out of Russia, if Putin doesn’t.

“The situation is still unfolding, but evidence suggests REvil has suffered a planned, concurrent takedown of their infrastructure, either by the operators themselves or via industry or law enforcement action,” FireEye Mandiant’s John Hultquist told CNBC.

The disappearance was first notices when REvil’s Happy Blog was taken offline on Tuesday morning. And then someone noted the group’s representative, Unknown, hasn’t posted to hacking forums since July 8.

Later, a representative for the LockBit ransomware group claimed that REvil’s servers were deactivated after the government’s order to shut down.

REvil joins a growing number of ransomware groups that shit down operations. Following its highly publicized attack against Colonial Pipeline, DarkSide announced that it would no longer be carrying out its encryption attacks. Its servers were allegedly taken by a law enforcement agency. And last month, the US Department of Justice confirmed they seized DarkSide’s crypto wallets and managed to recover the money Colonial Pipeline paid to DarkSide.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.