Skip to main content

Did the REvil ransomware gang shut shop? Or was it nuked?

The REvil ransomware gang, which gained notoriety this year for successfully targeting well-known organisations and bagging tens of millions in ransom payments, inexplicably disappeared from the Internet today, fueling suspicions that a recent meeting between two presidents may have something to do with it.

In May, the DarkSide ransomware gang, which forced companies like Colonial Pipeline and Brenntag to pay millions in ransom in exchange for a decryption key, unexpectedly announced that it had ceased operations, stating that its public blog, ransom collection website, and breach data content delivery network (CDN) were seized at the request of a law enforcement agency.

On 7th June, FBI Deputy Director Paul M. Abbate announced that the agency had successfully “seized criminal proceeds from a bitcoin wallet that DarkSide ransomware actors used to collect a cyber ransom payment from a victim.” In total, the bitcoin wallet contained $2.3 million in cryptocurrency out of the $4.4 million that Colonial Pipeline paid to the Russia-based cybercrime group a few weeks earlier.

Abbate also issued a thinly-veiled warning to other ransomware gangs that operated from the safety of international borders, stating that the FBI will “continue to work relentlessly and seek innovative ways to use our unique authorities, world-class capabilities, and enduring partnerships for maximum impact against our adversaries.”

“This focus on joint action and collaboration is exemplified by the National Cyber Investigative Joint Task Force, which brings together intelligence community, law enforcement, and cybersecurity agencies for a whole-of-government approach against these cyber threats.

“Today, we deprived a cyber-criminal enterprise of the object of their activity—their financial proceeds and funding. For financially motivated cyber criminals, especially those presumably located overseas, cutting off access to revenue is one of the most impactful consequences we can impose.

“With continued cooperation and support from victims, private industry, and our U.S. and international partners, we will bring to bear the full weight and strength of our combined efforts and resources against those actors who think nothing of threatening public safety and our national security for profit,” he added.

While the FBI is yet to comment on why the websites owned by the REvil ransomware gang suddenly went offline today, it is pertinent to note that the agency had vowed to bring the ransomware gang to justice after attributing the ransomware attack on JBS Foods to the hacker group.

“As the lead federal investigative agency fighting cyber threats, combating cybercrime is one of the FBI’s highest priorities. We have attributed the JBS attack to REvil and Sodinokibi and are working diligently to bring the threat actors to justice,” it said.

According to BBC, a payment website and a blog run by the REvil ransomware gang went offline on Tuesday, and hackers associated with the gang are yet to issue a statement to explain the disappearance. The disappearance is unusual for a ransomware gang that has been so successful in netting tens of millions in ransom and is running a successful Ransomware-as-a-Service programme that boasts hundreds of affiliates from across the world.

BBC noted that the disappearance occurred soon after US President Joe Biden and Russian President Vladimir Putin engaged in a telephonic conversation on Friday. A statement released by The White House reads that President Biden spoke with President Putin “about the ongoing ransomware attacks by criminals based in Russia that have impacted the United States and other countries around the world.”

“President Biden underscored the need for Russia to take action to disrupt ransomware groups operating in Russia and emphasized that he is committed to continued engagement on the broader threat posed by ransomware. President Biden reiterated that the United States will take any necessary action to defend its people and its critical infrastructure in the face of this continuing challenge.”

Commenting on these developments, Steve Moore, chief security strategist at Exabeam, told TEISS that the outage suffered by the REvil ransomware gang could be criminal maintenance, planned retirement, or, more likely, the result of an offensive response to the criminal enterprise.

“If the outage is the result of an offensive response, this then sends a new message to these groups that they have a limited window in which to work. Furthermore, if a nation responds to criminals backed by and hosted in another country, this will change the definition of risk for affected private organizations,” he said.

“The question becomes, who is and isn’t ready to participate in this new theatre? If a nation engages inoffensive ‘hack back’ operations, then to what degree should they defend private companies as well – which is arguably more valuable?”


All rights reserved Teiss Recruitment Ltd.