Reading Time: 3 minutes

The notorious Russian-speaking ransomware gang, REvil, has mysteriously disappeared from the internet after executing high-profile attacks on hundreds of businesses worldwide.

It is still unclear why the group has gone offline, along with its blog and payment websites. But its sudden disappearance just days after President Biden’s statement raises questions about whether the US authorities had something to do with it.

Who is REvil?

REvil (Ransomware Evil or otherwise known as Sobinokibi) is a Russian-speaking gang. They have targeted thousands of high-profile businesses all over the world. They would threaten to release the information on their Happy Blog unless the targets paid the ransom.

No one has been able to pinpoint their location, but it is believed to be based in Russia because the gang does not target Russian companies or the regions in the former Soviet bloc.

In the past, the UK and US authorities have also accused Russian cybercrime gangs of interfering in the 2016 US presidential elections. The officials also said that they have been abusing the power of virtual private networks (VPNs) to target organizations worldwide and hide their digital footprints. However, the Russian embassy in the US denied the accusations.

REvil Targets

In May 2020, REvil stole nearly one terabyte of confidential information from the Grubman Shire Meiselas & Sacks law firm, claiming to have “dirty laundry” on President Trump. The gang threatened to release data online if the ransomware of $42 million was not paid. The gang stated:

“The next person we’ll be publishing is Donald Trump. There’s an election race going on, and we found a ton of dirty laundry on time. Mr. Trump, if you want to stay president, poke a sharp stick at the guys, otherwise, you may forget this ambition forever.”

In March 2021, REvil attacked the Harris Federation as a result, the IT system of the organization was shut down for weeks, affecting thousands of users.

In April 2021, REvil targeted Apple and stole plans for upcoming Apple products, including the Apple Watch, laptops, and more. The gang demanded $50 million for information. After the attack, they posted on their Happy Blog saying:

“In order not to wait for the upcoming Apple presentation, today we, the REvil group, will provide data on the upcoming releases of the company so beloved by many. Tim Cook can say thank you Quanta.”

In May 2021, JBS SA, a Brazil-based meat processing company, was attacked, disabling its slaughterhouses. Just after a few days of the attack, the White House announced that the REvil might be behind the attack. JBS paid an $11 million ransom to REvil in Bitcoin.

The latest target of REvil was Kaseya, a US tech provider. On July 2, 2021, REvil targeted Kaseya systems and demanded $70 million in ransom to restore their data. As a result of the attack, Swedish Coop, a grocery store chain, had to close almost 800 stores for several days.

This was one of the largest ransomware attacks in history. The attack affected thousands of small companies all over the world. After US Cybersecurity and Infrastructure Security Agency, all users were asked to shut down VSA servers immediately.

The attack was perfectly timed, on Friday, before the long holiday in the US, for spreading it as quickly as possible without getting detected.

Biden takes action against REvil

After the attack, President Joe Biden decided to take action and directed the US intelligence agencies to investigate the group behind the attack that hit hundreds of American businesses.

On July 10, Biden called President Vladimir Putin and said that he must “take action.” Biden further said:

“I made it very clear to him that the United States expects when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is.”

When asked if there would be consequences, Biden smiled and said, “Yes.” He also said that the US will take action and take down the REvil group’s servers if Moscow did not act.

REvil gang’s disappearance

REvil’s websites, blogs, and “all of their infrastructure” has gone dark, said Allen Liska, an intelligence analyst from Recorded Future. Liska also said that REvil’s public spokesperson also called “Unknown,” “hasn’t been active on message boards since last Thursday,”  and the site has been unresponsive for some time now.

It is still unclear why the group has suddenly disappeared from the internet or whether the disappearance is only temporary or permanent.

The recent changes have sparked speculations about whether the move was REvil’s own decision to cease operations like the former Russian cybercrime gang, DarkSide, or was it a result of US government-led action.

John Hultquist, from Mandiant Threat Intelligence, said:

“The situation is still unfolding, but evidence suggests REvil has suffered a planned, concurrent takedown of their infrastructure, either by the operators themselves or via industry or law enforcement action…If it was a disruption operation of some kind, full details may never come to light.”

This is obviously a good thing, but not for all target companies as Brett Callow from Emsisoft points out:

“If law enforcement has managed to disrupt the gang’s operations, that would obviously be a good thing but could create problems for any companies whose data is currently encrypted. They’d not have the option of paying REvil for the key needed to decrypt their data.”

Liska also noted that REvil’s site ownership has not been changed yet, thus making the possibility of a domain seizure less likely. He also said, “this could suggest these are self-directed takedowns (too early to tell).”

Till now, spokespeople for the White House National Security Council and Cyber Command have yet to comment on the latest REvil’s disappearance. Even if the US government was behind REvil’s disappearance, there are other ransomware groups that are still active – thus raising security concerns worldwide.