REvil Disappears After Kaseya Ransomware Attack, Biden–Putin Chat

After inflicting worldwide mayhem, a infamous cybercrime group seems to have disappeared.

The ransomware gang REvil, whose operators are believed to reside in Russia, has been tied to 2 of this year’s most disastrous ransomware attacks. In Might, the gang efficiently hacked massive meat supplier JBS (considered one of America’s largest sources of beef and pork), subsequently extorting $11 million out of the corporate. Then, a couple of week in the past, the gang claimed duty for the assault on world IT provider Kaseya, demanding $70 million in change for a decryption key that might unlock all victims’ information.

But REvil’s luck might have run out. Someday round 1 a.m. on Tuesday, all on-line traces of the gang weirdly appeared to fade from the web. Safety professionals started commenting on Twitter that the gang’s web sites seemed to be down. Particularly, the group’s “leak website”—which REvil has sometimes used to extort ransoms from victims utilizing information stolen throughout assaults (and which the gang sardonically dubbed its “Glad Weblog”)—has been taken offline.

“All REvil websites are down, together with the cost websites and information leak website,” mentioned Lawrence Abrams, safety researcher and proprietor of BleepingComputer. “The general public ransomware gang represenative [sic], Unknown, is unusually quiet,” he added, referring to the group’s equal of a PR liaison.

The disappearance comes a little bit greater than per week after the gang’s alleged attack on Kaseya, which affected some 1,500 companies worldwide. As of Tuesday, no one has but paid REvil’s demand of a $70 million ransom, which leaves the numerous tons of of companies reportedly affected by the assault in limbo.

Whereas it’s presently unclear why the group has gone AWOL, there are some theories circulating as to what might have occurred to the group. The first ones are as follows:

• They had been hacked by a Russian legislation enforcement company
• They had been hacked by a U.S. legislation enforcement company
• They determined to go underground for some unknown motive

Let’s begin with the primary risk. The downing of REvil’s websites has occurred lower than per week after President Joe Biden reportedly had a terse talk with Russian President Vladimir Putin throughout which he requested the Russian chief to crack down on ransomware hackers working from inside his nation’s borders. Did Putin lastly heed Biden’s name to carry Russian cybercriminals accountable? Did REvil’s servers get fried by some cyber cell of the FSB? It’s doable, however we simply don’t know at this level.

One other risk is that {that a} U.S. company might have focused the gang. The New York Instances has suggested that Biden might have “ordered the US Cyber Command, working with home legislation enforcement companies, together with the F.B.I., to carry it [REvil] down.” If that had been the case, the incident would appear to observe the same trajectory to the one involving DarkSide—the ransomware gang that was answerable for attacking Colonial Pipeline. After extorting a $5 million ransom from Colonial in Might, DarkSide suffered an obvious assault on its infrastructure. The group then dropped from view, leaving solely a PSA on a darkish internet discussion board explaining that it had been focused by an “unknown legislation enforcement company” and that it had thus “closed” its enterprise.

In DarkSide’s case, it was assumed that the gang’s infrastructure had been focused by a U.S. legislation enforcement company—a principle that later appeared to be validated considerably by information of an FBI operation to track and then seize massive parts of the ransom that Colonial paid to the hackers. So… is that what occurred to REvil? Once more, as of proper now, we simply don’t know.

Lastly, it’s additionally doable that REvil determined to go underground for some unknown motive, although it appears odd for the gang to do that whereas nonetheless haggling with victims from its Kaseya operation—and earlier than it had secured its $70 million payout. Some safety researchers on Twitter have identified that ransomware websites do routinely go offline however will normally come again on-line inside a brief time frame. Others have argued that this incident seems to be a little different.

Briefly: We don’t know, we don’t know, we don’t know. As with a lot else on the planet of cybercrime, there simply isn’t sufficient info publicly accessible to grasp why this occasion occurred. Nonetheless, if REvil was hacked by a legislation enforcement entity, one thing tells me we’ll have an replace on the scenario pretty quickly.