Mysterious disappearance of the REvil Ransomware team after High-Profile attacks
REvil, the infamous ransomware cartel behind some of the biggest cyberattacks targeting JBS and Kaseya, has mysteriously disappeared from the dark web, leading to speculations that the criminal enterprise may have been taken down.
Multiple darknet and clearnet sites maintained by the Russia-linked cybercrime syndicate, including the data leak, extortion, and payment portals, remained inaccessible, displaying an error message “Onionsite not found.”
The group’s Tor network infrastructure on the dark web consists of one data leak blog site and 22 data hosting sites. It’s not immediately clear what prompted the infrastructure to be knocked offline.
REvil is one of the most prolific ransomware-as-a-service (RaaS) groups that first appeared on the threat landscape in April 2019. It’s an evolution of the GandCrab ransomware, which hit the underground markets in early 2018.
The disastrous attack saw the ransomware gang encrypting approximately 60 managed service providers (MSPs) and over 1,500 downstream businesses using a zero-day vulnerability in the Kaseya VSA remote management software. In late May, REvil also masterminded the attack on the world’s largest meat producer JBS, which ended up paying $11 million to the extortionists to recover from the incident.
The outage also coincides with U.S. President Joe Biden’s phone call with Russian President Vladimir Putin last week, pressing the latter to take steps to disrupt ransomware groups operating in the country, while warning of retaliatory action to defend critical infrastructure.
“The situation is still unfolding, but evidence suggests REvil has suffered a planned, concurrent takedown of their infrastructure, either by the operators themselves or via industry or law enforcement action,” FireEye Mandiant’s John Hultquist told CNBC.
REvil’s unexplained shutdown, in a similar fashion, may as well be a case of planned retirement, or a temporary setback, forcing it to seemingly disband only to eventually reassemble under a new identity so as to attract less attention, or may have been the consequence of increased international scrutiny in the wake of the global ransomware crisis.
