REvil, Russia-based cyber gang, abruptly vanishes following series of ransomware attacks

REvil, a Russian-based hacking group held responsible for several recent major ransomware attacks, abruptly vanished from the internet this week.

Websites and infrastructure run by REvil went offline without explanation Tuesday, triggering speculation about whether the prolific ransomware group could have called it quits, willingly or otherwise.

The White House had repeatedly singled out REvil in the weeks prior to its disappearance, saying as recently as Friday that Russian President Vladimir Putin has a responsibility to rein in the group.

“I made it very clear to him that the United States expects, when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is,” Mr. Biden told reporters after speaking with Mr. Putin by phone.

Asked whether the U.S. would impose consequences on the Kremlin if Russia did not cooperate on the matter, Mr. Biden replied, “yes.”

White House press secretary Jen Psaki acknowledged Wednesday the Biden administration was aware REvil has vanished from the web but declined to comment further.

“We just don’t have anything more for you on REvil’s absence currently from the environment,” Ms. Psaki told reporters during a White House press briefing.

Russia’s state-run media reported earlier Wednesday that Kremlin spokesperson Dmitry Peskov denied knowing whether the group’s disappearance was connected to any recent bilateral discussions.

Before going offline, REvil offered “ransomware as a service” to other cybercriminals: REvil provided its ransomware to affiliates in exchange for receiving a percentage of the money paid by victims.

REvil sites that went offline this week include pages the group used to receive payments from its victims as well as to share data stolen from those victims hesitant or unwilling to heed their ransom requests.

The sudden disappearance of REvil could have potentially been the result of action by the U.S., Russia or another government. Alternatively, REvil could have dissolved itself to avoid further attention.

In any event, REvil managed to wreak substantial havoc since its ransomware first appeared in 2019, evidenced most recently by its successful attacks on JBS USA and Kaseya, among others.

JBS USA, one of the nation’s largest meat suppliers, said last month that it paid a ransom of around $11 million to the cybercriminal who briefly shuttered its operations in May using REvil ransomware.

Days before its blog disappearing, REvil released data online it claimed to obtain from victims including a law firm in South Carolina and a Florida-based contractor with the U.S. federal government and military.

“If REvil has been permanently disrupted, it’ll mark the end of a group which has been responsible for >360 attacks on the US public and private sectors this year alone,” Emsisoft threat analyst Bret Callow said on Twitter.