The servers and websites of the Russian-affiliated hacker group REvil went blackout of nowhere on Tuesday evening Dutch time. The infamous hacker gang uses various sites, mainly on the dark web, to negotiate ransom payments with victims. From one moment to the next these were spontaneously no longer in the air.
The servers and sites went offline around 19:00 Dutch time. REvil can no longer sell stolen personal data from companies and organizations to other hackers and cybercriminals. This also made it impossible to collect ransoms: the Russian hacker collective used its own infrastructure for this. Anyone who now visits one of the sites on the dark web will see the message ‘Onionsite not found’. BleepingComputer cybersecurity expert Lawrence Abrams says on Twitter that REvil’s helpdesk is also offline.
LockBit ransomware rep claims that the authorities went after one of REvil's server, which was subsequently erased. pic.twitter.com/2jeuFkG8BT
— Lawrence Abrams (@LawrenceAbrams) July 13, 2021
It is rumoured that REvil received a subpoena from Russian law enforcement agencies and wiped out all of its servers. This message has not been confirmed by the Russian authorities. Abrams also reports on Twitter that Unknown, a hacker seen as the spokesperson for REvil, has been banned from the popular Russian-English hacker forum XSS after this report. According to ethical hacker Vitali Kremez, members of this forum are often banned if they are wanted by the police.
Why REvil spontaneously disappeared from both the dark web and the regular web is a mystery. One possible explanation is that it is getting too hot for hackers. Early this month, REvil’s hackers launched a supply chain attack on hundreds of companies and organizations worldwide. They exploited vulnerabilities in the Virtual System Administrator (VSA) of ICT service provider Kaseya. Customers use this software to remotely manage the servers and computer systems of their customers. The leak allowed them to infiltrate networks of some 1,500 companies and install ransomware. In a public message, REvil demanded $70 million in ransom for a universal decryption key or decryptor.
Companies and organizations have become the target of the chain attack in at least 17 countries, including the Netherlands. Given the brutality, scale and social impact of such an attack, it is understandable that intelligence and investigative services are stepping up their efforts to track down the perpetrators. This may bear fruit and the hackers try to erase all their digital traces.
Another possibility for REvil to spontaneously go offline is that President Biden has taken action. He has already spoken to Russian President Vladimir Putin several times about the cyberattacks carried out from his country that are affecting American society and the economy.
The US president has told Putin that he wants Russia to intervene if Russian hackers carry out cyber attacks. “I made it very clear to him that the US expects that when a ransomware operation is carried out from its territory, even if the state does not order it, we expect them to act if we give them enough information to act against whom that is,” Biden told a group of reporters last week.
Retaliation was not ruled out. A senior government official told Reuters news agency that Biden is ordering retaliatory actions soon. “We are not going to reveal exactly what those actions will be. Some will be clear and visible, some may not. But we expect them to be implemented in the coming days or weeks.” Perhaps taking REvil’s servers and websites offline is retaliation by the Americans.
Incidentally, it is not surprising that hackers spontaneously give up from one moment to the next. DarkSide, also a Russian hacker group, threw in the towel last May. That happened after it received $4.4 million from the American oil company The Colonial Pipeline and the German chemical distribution company Brenntag.
REvil spokesperson Unknown said his group had taken DarkSide’s servers off the air. The attacks that DarkSide carried out may have had too great a social impact. This not only increases the pressure from investigative services but is also bad for the image.
“We only focus on large and profitable companies. We think it’s fair that part of the money they have paid goes to charitable organizations. Regardless of how you feel about our work, we are delighted that our effort has impacted the lives of others,” REvil said in a press statement earlier this year. DarkSide subsequently apologized for the ransomware attack on Colonial Pipeline, but to no avail.
Catch up on more articles here
Follow us on Twitter here