The infrastructure and websites for the REvil ransomware operation have mysteriously gone offline as of last night.
The REvil ransomware operation, aka Sodinokibi, operates through numerous clear web and dark web sites used as ransom negotiation sites, ransomware data leak sites, and backend infrastructure.
Starting last night, the websites and infrastructure used by the REvil ransomware operation have mysteriously shut down.
"In simple terms, this error generally means that the onion site is offline or disabled. To know for sure, you'd need to contact the onion site administrator," the Tor Project's Al Smith told BleepingComputer.
While it is not unheard of for REvil sites to lose connectivity for some time, all sites to shut down simultaneously is unusual.
Furthermore, the decoder[.]re clear website is no longer resolvable by DNS queries, possibly indicating the DNS records for the domain have been pulled or that backend DNS infrastructure has been shut down.
Recorded Future's Alan Liska said that the REvil web sites went offline at approximately 1 AM EST this morning.
This afternoon, the LockBit ransomware representative posted to the XSS Russian-speaking hacking forum that it is rumored the REvil gang erased their servers after learning of a government subpoena.
"Upon uncorroborated information, REvil server infrastructure received a government legal request forcing REvil to completely erase server infrastructure and disappear. However, it is not confirmed," the post says in Russian translated to English for BleepingComputer by Advanced Intel's Vitali Kremez.
Soon after, the XSS admin banned REvil's 'Unknown,' the public-facing representative of the ransomware gang, from the forum.
"As a rule of thumb, the administration of the top forums bans its users when they are suspected of being under the police control," explained Kremez.
If you have first-hand information about the shut down, you can confidentially contact us on Signal at +16469613731 or on Wire at @lawrenceabrams-bc.
Feeling the heat
On July 2nd, the REvil ransomware gang encrypted approximately 60 managed service providers (MSPs) and over 1,500 individual businesses using a zero-day vulnerability in the Kaseya VSA remote management software.
As part of these attacks, REvil initially demanded $70 million for a universal decryptor for all victims but quickly dropped the price to $50 million.
Since then, the ransomware group has been under increased scrutiny by law enforcement, which did not seem to faze 'Unknown,'
As these ransomware gangs commonly operate out of Russia, President Biden has been in talks with President Putin about the attacks and warned that if Russia did not act upon threat actors in their borders, the USA would take action themselves.
"I made it very clear to him that the United States expects when a ransomware operation is coming from his soil even though it's not sponsored by the state, we expect them to act if we give them enough information to act on who that is," Biden said after signing an executive order at the White House.
At this point, it is not clear if REvil's shut down of servers is for technical reasons, if the gang shut down their operation, or if a Russian or USA law enforcement operation took place.
Other ransomware groups, such as DarkSide and Babuk, shut down voluntarily due to the increased pressure by law enforcement.
However, when ransomware groups shut down, the operators and affiliates commonly rebrand as a new operation to continue performing ransomware attacks. This was seen in the past when GandCrab shut down and many of its members relaunching as REvil.
Babuk also relaunched as Babuk v2.0 after the original group splintered due to differences in how attacks were conducted.
The FBI has declined to comment regarding the shut down of REvil's servers.
This is a developing story.
Update 7/13/21 6:31 PM EST: Added more information about hacking forums.
Comments
osct - 2 years ago
Biden had nothing to do with this. Stay on topic Don't bring politics in this group.
AlfaX - 2 years ago
"Biden had nothing to do with this. Stay on topic Don't bring politics in this group."
And you know that how? It would seem at this point, no one knows why the sites are down.
TsVk! - 2 years ago
The US as a whole is exerting pressure on Russia to stop these attacks, nothing to do with politics. It's gone from harassing people for their pictures to bringing down critical infrastructure, which if was done by a state entity would be an act of war.
It can never be allowed to continue and will result in actual war if allowed to escalate.
iwangchungeverynight - 2 years ago
Politics interweaves everything done on this planet in how, when, and where business is conducted, to how public entities provide services, to the provisioning and procurement of goods and services for human survival. The moment the leader of one of the largest economies on the planet uttered the words 'cybersecurity', 'ransomware', and 'executive order', quite literally every single discussion about ransomware became political in nature. To ignore that reality is to avoid uncomfortable conversations but doesn't change the basic fact that everything has political undertones and is maneuvered by those waves of activity and power.
nicecube - 2 years ago
Good news, I hope they got pulled over by the Russian police.
herbman - 2 years ago
Contrary to what the media insist is the truth the overwhelming majority of cyber attacks are coming from China NOT Russia.
If you're one of those people that actually believe what the media report then you clearly don't have a clue to the truth but let me give you an example and the below is reported from the far left Guardian who eventually decided to come clean about who really colluded with Russia.
"It’s Confirmed, John Brennan Colluded with Foreign Spies to Get Trump"
An article in the Guardian last week provides more proof that one side did collude with foreign powers and interfered in the election. It was Hillary’s side.
Then-CIA director John Brennan was the ringleader. He colluded with foreign powers in a massive political espionage scheme to defeat Trump according to the Guardian.
Lawrence Abrams - 2 years ago
I can't speak for malware in general, but I disagree when it comes to ransomware, which this article is about.