REvil Gang Websites Go Dark After Attacks

Websites for the criminal ransomware hackers linked to Russia suddenly disappeared on Tuesday, prompting takedown speculation

Websites run by the Russian ransomware gang REvil suddenly became unreachable on Tuesday, prompting speculation of a possible takedown by unknown agencies.

According to reports on Tuesday morning REvil’s public website, as well as the dark-web portal that facilitated its ransom negotiations with victims, and its website that victims used to pay those ransoms, suddenly went offline.

It comes after a number of high profile attacks by REvil, that has caused a diplomatic crisis between the West and Russia. In May British Foreign Secretary Dominic Raab warned Russia that it cannot continue to shelter criminal gangs carrying out ransomware attacks on Western nations.


Western action?

The issue of cyberattacks stemming from either Russian government-linked hackers, or criminal gangs located in Russia featured during face-to-face talks in June between US President Joe Biden and Russia’s President Vladimir Putin.

Biden and Putin spent much of that face-to-face meeting talking about cybersecurity issues, with Biden warning Putin of ‘retaliation’ and an ‘aggressive response’ if Russia attacks a list of 16 ‘critical’ facilities in America.

Soon after that, Russia’s Federal Security Service (FSB) head Alexander Bortnikov said that Russia would work together with the United States to locate cyber criminals.

And a reaction from the West has been expected after President Biden hinted last Friday that the United States could take more aggressive action soon where ransomware was concerned.

When he was asked by a Reuters correspondent whether it would make sense to attack the Russian servers used in such intrusions, Biden paused, smiled and said: “Yes.”

The following Tuesday REvil websites disappeared.

Ransomware attacks

REvil was the Russian gang that last week attacked IT software vendor Kaseya, which allowed the criminals to breach hundreds of companies around the world.

REvil had demanded a $70 million ransom.

In June Brazil-based JBS SA, the world’s largest meat production company, suffered a ransomware attack that impacted one-fifth of US beef capacity.

JBS admitted it had paid an $11m ransom, after the REvil ransomware operation had initially demanded $22.5m.

In April Apple was dragged into a ransomware incident when one of its suppliers, Taiwan-based Quanta Computer was hacked. The REvil hacker group reportedly stole and published product blueprints from Apple supplier Quanta and held other blueprints under a $50 million ransom.

In March Taiwanese PC giant Acer faced a $50 million ransom demand after it was attacked in a REvil ransomware attack.

REvil takedown

Security experts have pointed out that in addition to REvil’s websites being taken down on Tuesday, “all of their infrastructure” used to control their hacking operations has also gone dark.

And it seems that REvil’s public spokesperson, who goes by the pseudonym “Unknown,” hasn’t been active on message boards since last Thursday.

“The increasing scale and breadth of new and improving police tactics are starting to take effect in disrupting cybercriminal gangs,” noted Jake Moore, cybersecurity specialist at ESET.

“With recent state of the art techniques used to target displacing the money in other operations, it is clear that the police are beginning to turn the tide and fight back on digital crime,” said Moore.

“Although the detail in such law enforcement tactics still remain unknown to the public, it highlights the police are continuing to grow in their operations and fight from different angles,” Moore concluded. “However, this setback for REvil will unlikely deter them completely, if anything, it may spur them on more.”

Matter on time

This was echoed by another security expert, who warned it was only a matter of time before attacks resume.

“Although it is unclear the exact reason why REvil ransomware websites have gone offline, it is a positive step in the fight against these cybercriminal gangs,” said John Vestberg, CEO and co-founder of Clavister.

“That said, it is only a matter of time before another ransomware incident takes place,” cautioned Vestberg. “The attack on Kaseya was the latest in a line of incidents that have caused wide-spread havoc – from the Colonial Pipeline to the JBS food production plant in the US. In particular, Critical National Infrastructure, such as oil and gas, is a prime target for ransomware gangs – systems are underpinned by a myriad of complex information and operational technology devices and so the consequences if these are infiltrated can be devastating.”

“Going after organisations with huge supply chains and customer bases provides the opportunity for wide-ranging effects which makes those impacted more likely to pay up, either individually or collectively,” added Vestberg.

“This is not the time for organisations to get complacent,” Vestberg said. “In particular, organisations in Europe are better off using local providers with dedicated operations on-the-ground in their regions so, should an attack take place, they may be able to facilitate a quicker route to a positive outcome than waiting for a reaction half a world away. The next ransomware attack is just around the corner.”