Russian ransomware REvil strangely goes offline

13 Jul 2021

21785 posts

It’s not clear why yet, but the Russia hacking syndicate REvil is offline. There is no indication law enforcement is behind it. The Associated Press has the story:

Mysterious disappearance of Russian hacking syndicate

WASHINGTON (AP) — The Russia-based criminal syndicate behind a devastating series of recent ransomware attacks was offline on Tuesday, but cybersecurity experts said that it was premature to speculate why and that there was no indication of a law enforcement takedown.

REvil’s dark web data-leak site and ransom-negotiating portals were both unreachable, cybersecurity researchers said. The group was responsible for the Memorial Day ransomware attack on the meat processor JBS and the supply-chain attack this month targeting the software company Kaseya that crippled well over 1,000 businesses globally.

A closed Coop supermarket store in the suburb of Vastberga, Stockholm, Sweden, Saturday July 3, 2021. Cybersecurity teams worked feverishly Sunday July 4, 2021, to stem the impact of the single biggest global ransomware attack on record, with some details emerging about how the Russia-linked gang responsible breached the company whose software was the conduit. The Swedish grocery chain Coop said most of its 800 stores would be closed for a second day Sunday because their cash register software supplier was crippled. (Jonas Ekstromer/TT via AP, File)

President Joe Biden told Russian President Vladimir Putin on a call Friday that he needed to rein in attacks from Russia-based groups and warned that the U.S. had the right to defend its people and critical infrastructure from attacks.

But there were no immediate or public signs that the government had anything to do with REvil appearing offline. It was also possible that the group was laying low after the attack, or switching methods “as we did expose them,” said threat researcher Ryan Sherstobitoff of SecurityScorecard.

“It could be that the server hardware failed, or that it was intentionally taken down, or that someone attacked their host,” said Sean Gallagher, a threat researcher at the cybersecurity firm Sophos. He noted that REvil’s public ransom-negotiating site was also down last week.

Spokespeople for the White House and U.S. CyberCommand, the Pentagon’s cyber arm, declined to comment on Tuesday.

“We have seen no indicators for either voluntary shutdown nor of any offensive steps from law enforcement,” said Alex Holden, founder and chief information security officer of Hold Security. “Right now, perhaps, it is too early to speculate, especially as REvil was building up their strength over the recent months.”

A sign that reads: “Coop Forum supermarket in Vastberga is closed due to IT disturbances, no prognosis as to when we will open again”, on a closed Coop supermarket store in the suburb of Vastberga, Stockholm, Sweden, Saturday July 3, 2021. Cybersecurity teams worked feverishly Sunday July 4, 2021, to stem the impact of the single biggest global ransomware attack on record, with some details emerging about how the Russia-linked gang responsible breached the company whose software was the conduit. The Swedish grocery chain Coop said most of its 800 stores would be closed for a second day Sunday because their cash register software supplier was crippled. (Jonas Ekstromer/TT via AP, File)

“There is always a glimmer of hope that Russia is finally doing something right,” he added.

Ransomware variants have previously disappeared as the criminals behind them retooled and modified their malware before introducing it under a new guise. That’s what threat analysts believe happened with a precursor to the REvil ransomware-as-a-service software called Gandcrab. It was the most successful variant over a 15-month run that began in January 2018.

By ERIC TUCKER and FRANK BAJAK

Russian ransomware REvil strangely goes offline

Mysterious disappearance of Russian hacking syndicate

Latest News

Register for NewsLooks

Log In