Where are REvil? Ransomware sites disappear from dark web after Joe Biden warns Putin

According to Ryan Sherstobitoff, REvil is laying low after the attack or changing methods 'as we did expose them'

                            Where are REvil? Ransomware sites disappear from dark web after Joe Biden warns Putin
President Joe Biden and Russian counterpart Vladimir Putin meet at the start of the US-Russia summit at Villa La Grange on June 16, 2021, in Geneva, Switzerland (Denis Balibouse - Pool/Keystone via Getty Images)

The websites and dark web portals of a Russia-based ransomware organization are now mysteriously offline just days after President Joe Biden urged Russian President Vladimir Putin to take action.

Ransomware gang REvil's dark web data-leak site and their ransom-negotiating portals have both been unreachable since 1 am on Tuesday, July 13. Cybersecurity experts have stated that it is too early to speculate why and that there was no indication of a law enforcement takedown. On Memorial Day, 'Ransomware evil' or REvil attacked the meat processor JBS and the supply-chain attack this month targeting the Miami-based software company Kaseya that crippled over 1,000 businesses globally. This disappearance happened after Biden and Putin's phone call on July 9, 2021, in which Biden urged Putin that he needed to rein in attacks from Russia-based groups and warned that the US had the right to protect its people and critical infrastructure from attacks. Biden later told reporters that he had "made it very clear to him...we expect them to act" on information and also hinted the US could take direct digital retaliation on servers used for intrusions. 


What is DarkSide? Russian hacker behind Colonial Pipeline ransomware attack didn't want 'problems for society'

How did China hack MTA? NY subway targeted in third serious attack on America's largest transit network

U.S. President Joe Biden (R) and Russian President Vladimir Putin meet during the U.S.-Russia summit at Villa La Grange on June 16, 2021, in Geneva, Switzerland. Biden is meeting his Russian counterpart, Putin, for the first time as president in Geneva, Switzerland. (Photo by Peter Klaunzer - Pool/Keystone via Getty Images)

According to experts, vanishing acts are common in the ransomware world where gangs tend to disappear and remarket when they start attracting too much heat.  Threat researcher Ryan Sherstobitoff of SecurityScorecard has stated that it was also possible that REvil is laying low after the attack or changing methods "as we did expose them".

Sean Gallagher, who is working as a threat researcher at a cybersecurity firm named Sophos, said: "It could be that the server hardware failed, or that it was intentionally taken down, or that someone attacked their host." He said that REvil's public ransom-negotiating site was also down last week.

Who are REvil?

REvil’s name is a short form for “ransomware” and “evil,” and the group is also known as Sodinokibi, and security researchers earlier named the organization’s family of malware that encrypts, or scrambles data REvil/Sodinokibi, or REvil.Sodinokibi. According to the Security Researchers, there is a link between the creators of the REvil/Sodinokibi malware and the authors of the GandCrab ransomware, which was first noticed in 2018. Hackers affiliated with GandCrab targeted healthcare firms, including the medical service billing provider Doctor’s Management Service.

In 2019, members of this GandCrab made a statement saying that they would retire and boasted about collecting $2 billion in ransom payments in just one year. A year later, the Minister of Internal Affairs of Belarus stated that they have arrested a hacker with ties to GandCrab. According to ransomware negotiator and the head of threat intelligence at GuidePoint Security, Tony Cook, REvil appears to be inspired by GandCrab in that the two groups use the alike tools and hacking techniques. That said, with the number of similar ransomware groups, it’s hard to determine which hacking group is accountable for specific attacks. The GandCrab group targeted operated service providers, which manage IT systems on behalf of other companies, during its final days. This gives confidence to the notion that former GandCrab members are now with REvil.

What does REvil do?

REvil acts as a company that sells hacking technology and other tools to third-party hackers. REvil members have created online support on the dark web, In exchange for using REvil’s services and malware, REvil, like similar groups, takes a roughly 20% cut of any ransomware payments while its affiliate hackers keep the other 80%. Other hacking groups that operate similar ransomware-as-a-service include Conti and Ryuk, Narang said.