Websites on the dark web used by the notorious Russia-linked REvil ransomware group believed to be behind a series of ransomware attacks on hundreds of organizations and businesses worldwide, including the US software vendor Kaseya, and the world’s largest meat processor JBS, have gone offline.
The group’s public website and a payment website became unavailable on Tuesday morning. The reason behind the websites’ disappearance is not clear, however, some speculations suggest that REvil - also known as Sodinokibi - may have been targeted by authorities.
“The situation is still unfolding, but evidence suggests REvil has suffered a planned, concurrent takedown of their infrastructure, either by the operators themselves or via industry or law enforcement action,” John Hultquist of Mandiant Threat Intelligence told CNBC.
“If this was a disruption operation of some kind, full details may never come to light,” he added.
According to Allan Liska, an intelligence analyst at the cybersecurity firm Recorded Future, all REvil’s command and control infrastructure also went offline, and the group’s public spokesperson, who is known online as “Unknown,” “hasn’t been active on message boards since last Thursday.”
The news comes less than a week after President Joe Biden strongly urged Russian President Vladimir Putin to take further action against ransomware groups based in Russia.
Biden was later asked if it made sense for the U.S. to attack the servers used by the attackers, and Biden responded, "yes."
This is not the first time in recent months when a ransomware operation goes dark. In May, the DarkSide hacking group, also linked to Russia, shut down its operations after the FBI blamed the group for the ransomware attack on the US fuel pipeline Colonial Pipeline that caused gas shortages in several states.