REvil Ransomware Websites Mysteriously Gone Offline
The Shutdown Took Place on July 13th At Approximately 01:00 AM EST, Which Is 08:00 AM Moscow Time.
REvil ransomware, aka Sodinokibi, operates via several clear web and dark web sites used as ransom negotiation sites, data leak sites, and backend infrastructure.
Researchers reported that the threat actors’ payment site, the public site, the ‘helpdesk’ chat, and their negotiation portal are offline.
Image Source: BleepingComputer
Although it is still unknown what caused the outages, a few theories were floated online.
Last Friday, US President Joe Biden has asked Russian President Vladimir Putin during a phone call to act on the attacks against American organizations and infrastructure, adding that the U.S. will take “any necessary action” to protect itself against future attacks.
Biden and Putin’s conversation follows an extensive ransomware cyberattack on Kaseya that resulted in the infection of hundreds of businesses with REvil ransomware by the Sodinokibi Gang.
Full @POTUS comments about his call with Russian President Putin about ransomware. pic.twitter.com/00ByzOyrPN
— Martin Matishak (@martinmatishak) July 9, 2021
As reported by ZDNet, some security researchers believe the group may have taken their own websites down, either because of internal squabbles or fear over increased law enforcement scrutiny, while others think it may be the result of official actions taken by government agencies.
Allan Liska, a ransomware expert and CSIRT at Recorded Future said that the REvil websites went offline July 13th at approximately 01:00 AM EST, which is 08:00 AM Moscow time.
So far, the FBI has declined to comment regarding the shutdown of REvil’s servers.
Two weeks ago, we reported that another supply chain vulnerability was successfully exploited by the REvil ransomware gang in order to target thousands of businesses through the initial infected host. The entry point was the Managed Service Provider (MSP) Kaseya VSA, a cloud-based platform that allows its customers to perform patch management and client monitoring.
This led to the most significant ransomware attack in history. The data of 60 customers, plus around 1,500 downstream businesses have been impacted by the attack.
REvil initially decided that the price for decrypting all systems would be $70 million in Bitcoin in exchange for the tool that allows all affected businesses to recover their files, but later dropped the ransom to $50 million.
So far, it’s not clear whether REvil shut down its servers for technical reasons, if the gang shut down their operation, or if a Russian or USA law enforcement operation took place.
Other well-known ransomware groups, such as DarkSide and Babuk, are undergoing a revamp. DarkSide ransomware, which is responsible for the Colonial Pipeline attack, said it was disbanding following massive negative publicity and law enforcement attention from the May incident.
Likewise, the Avaddon ransomware gang disappeared this month under mysterious circumstances after sending a ZIP file with the decryption keys for all victims affected.
Babuk was also rebranded as Babuk v2.0 after the original group split due to differences in how attacks were conducted.