The clear and dark web sites run by the REvil ransomware gang have gone offline, leaving netizens wondering if the extortionists have closed down – or been closed down.
At time of writing, all of REvil's portals and infrastructure – used to negotiate and collect ransom payments, and leak stolen data to encourage victims to cough up before the whole lot is released – have vanished. They've been missing in action since 0100 US Eastern Time, or around 0800 in Moscow. We say Moscow because it's believed REvil is orchestrated by miscreants in Russia. For one thing, it appears to leave computers in the nation alone.
"The REvil leak site is definitely unreachable," Sean Gallagher, Sophos senior threat researcher, told The Register, adding: "The server is likely down.
"It could be that the server hardware failed, or that it was intentionally taken down, or that someone attacked their host. At this time, there's nothing claiming that law enforcement is responsible. The public internet ransom site was also down last week."
On Friday, President Biden had a phone call with Russia's President Putin about the worldwide ransomware epidemic, and afterwards told the press the US was prepared to attack the servers used by ransomware criminals who were targeting American businesses and citizens.
- Kaseya restores SaaS, then 'performance issues' force a do-over
- With a straight face, Putin agrees to do something about ransomware coming out of Russia, apparently
- Report shines light on REvil's depressingly simple tactics: Phishing, credential-stuffing RDP servers... the usual
- Ransomware-hit law firm gets court order asking crooks not to publish the data they stole
Extortionware infections have exploded in the past decade, and REvil has had some big scores – such as exploiting installations of Kaseya's IT management software to infect as many as 1,500 businesses in one fell swoop just this month.
Has Team America taken down REvil, perhaps even with Putin's help? It's too early to tell. Ransomware groups are just like any other IT operation and suffer outages as much as anyone else. It's possible that the crew are simply having an issue or are redoing their infrastructure.
The other, and more probable explanation, is that the ransomware crims have simply decided to close down for a while until the heat is off – the Darkside gang behind the Colonial Pipeline ransomware freaked out at the media and law enforcement attention it drew, for instance – and take a summer holiday with their ill-gotten gains to return later, maybe even with a rebrand.
Ransomware is a huge money-making scheme, thanks to some organizations' willingness to pay to make a problem go away. These miscreants are unlikely to give up voluntarily. ®