A prolific, Russian-speaking ransomware gang has suddenly disappeared from the internet months after executing some of the most high-profile cyberattacks on U.S. targets.
It is unclear why the group's online footprint, including its blog and payment-processing infrastructure, have gone offline, but its absence has prompted questions about whether the U.S. took action just days after President Joe Biden promised consequences for a string of cyberattacks. But ransomware gangs have also been known to voluntarily disband, only to return under a different name.
The group, REvil, is one of the most prolific cybercriminal organizations in the world. It hacked more than 360 U.S. targets in 2021 alone, part of an extortion spree that locks up victims' computers, leading to demands of payment in exchange for a decryptor program and a promise to not leak sensitive files.
The group disappeared from the dark web early Tuesday morning without leaving any known indication why, and the timing is noteworthy. Biden has repeatedly insisted he plans to take some action against ransomware hackers, many of whom are believed to reside in Russia. On Friday, Biden told reporters the U.S. may attack the "servers" used to carry out attacks, but he didn't give specifics.
In May, REvil hacked major meat supplier JBS, encrypting its computers and convincing the company to pay $11 million in exchange for a promise to not leak its files to an extortion blog it kept on the dark web. Over the Fourth of July weekend, the group hacked the software company Kaseya, using its connectivity to the larger internet ecosystem to infect more than 1,500 organizations around the world.
REvil's blog site, as well as other REvil sites used to host decryptor programs and payment processing, were all offline as of around 1 a.m. ET, said Allan Liska, who tracks ransomware groups for the cybersecurity company Recorded Future.
There was no immediate indication of why REvil's sites were taken down. There are dozens, if not hundreds, of active ransomware groups. As members of organized cybercrime, ransomware hackers aren’t always in the same location or even the same country. Sometimes they voluntarily disband, potentially to reorganize under a different name.
U.S. Cyber Command, the arm of the Pentagon in charge of offensive cyberattacks, has in the past reportedly conducted operations to disrupt Russia-affiliated cybercrime, and one of its top lawyers recently wrote an open call for it to turn its aim on ransomware gangs. Spokespeople for both Cyber Command and the White House National Security Council declined to comment on REvil's disappearance.
Biden made addressing ransomware one of his top priorities when meeting Russian President Vladimir Putin in Geneva in June, and he reiterated in his call last week that he wanted Russia to take law enforcement action against cybercriminals that operate there. Russia's Ministry of Foreign Affairs did not respond to request for comment.
In a press conference Wednesday, Kremlin spokesperson Dmitry Peskov made it clear that the Russian government wasn’t taking credit for REvil’s disappearance.
"I do not know which group has disappeared from where," Peskov said.
In a rare interview in March, a de facto spokesperson for REvil who goes by the pseudonym Unknown claimed they would never voluntarily quit ransomware.
Even if the U.S. was able to successfully either knock REvil offline or convince Putin to crack down on it, other ransomware groups are still active, and not all ransomware hackers are in Russia.
In a call Friday afternoon with reporters, a senior administration official, speaking on the condition of anonymity, said the White House's official position is that tackling the problem of Russia harboring ransomware hackers could take at least six months.
"This is more than just a conversation taking place between the two leaders," the official said. "This is a broad campaign, and it won't have an immediate on-off effect, like a light switch."