Was it Putin, the U.S., or rivals that took down what is likely to be the most well-known ransomware group of all-time? Or was the time for REvil to exit the stage just right?
The notorious REvil ransomware network, allegedly responsible for over 360 ransomware attacks during the last two years, had its online presence removed completely yesterday, through actions and actors that are completely unknown.
The components taken down from the dark web include REvil’s portals for data leaks, extortion attempts and resulting payments. It also includes the public-facing centerpiece for REvil, the Happy Blog website. Happy Blog is where REvil posted the latest details of their successful efforts, frequently bragging about their most recent exploits and issuing threats to potential future victims.
In one of the last posts on Happy Blog, REvil claimed to have infected over a million systems belonging to international IT vendor Kaseya Ltd. In the post, REvil asks for a whopping $70 million ransom – payable in Bitcoin – in exchange for a “publicly decryptor (sp.) that decrypts files of all victims.”
After a meeting with Russian President Putin on July 9, U.S. President Biden stated that a line of communication had been opened between the two countries that would be dedicated to cyberattack-related affairs.
“I made it very clear to him that the United States expects when a ransomware operation is coming from his soil, even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is,” said Biden.
It is not known if Biden’s meeting with Putin contributed to the sudden disappearance of REvil’s presence on the darknet.
Security researchers note that malware/ransom operations like REvil often disband and re-appear under a new name to escape an increasingly negative reputation.
As almost no information about what caused the knockout is available, it is possible that the individuals behind the REvil banner have not been taken into custody and will simply re-emerge when the moment is right.
Next time, however, the light exposed on their movements will likely be all the brighter, as the internationally-coordinated crackdown on ransomware groups continues.