REvil vanishes from the web without a trace

The mysterious shutdown comes only days after the ransomware group’s massive Kaseya cyber attack hit at least 1,000 businesses

The notorious ransomware gang REVil, also known as Sodinokibi, has disappeared from the internet, with its entire web presence rendered offline. 

REvil has carved a reputation in recent years as being highly prolific, unafraid of targeting massive companies and demanding increasingly eye-watering sums of money following its attacks. The firm also licenses its malware in a form of ransomware as a service (RaaS) operating model.

According to various security researchers, the group’s servers and its payment sites are down, while its public spokesperson, who goes by 'Unknown', hasn’t been active since last Thursday. It’s too early to tell how or why all traces of REvil has vanished, and researchers are urging caution as speculation runs rife.

The shutdown is particularly strange given the timing, with REvil only days ago launching a massive attack against Kaseya that is said to have affected 1,500 businesses, with the group demanding a $70 million ransom in exchange for providing the universal decryption key. REvil also recently targeted Apple, threatening to release hardware schematics, and last year claimed to have made $100 million from its activities. 

“It would seem that everything is down for REvil (landing page, payment, ‘helpdesk’ chat),” said Exabeam’s chief security strategist, Steve Moore.

“This outage could be criminal maintenance, planned retirement, or, more likely, the result of an offensive response to the criminal enterprise – we don’t know.

Related Resource

2021 IBM Security X-Force Insider Threat Report

Top discovery methods and recommendations for insider attacks

White background with a black border on side - whitepaper from IBMDownload now

In the absence of a definitive answer, speculation is rife on social media and within the cyber security community as to what might have caused this shutdown, with US-led enforcement action one of the prevailing theories. The operators behind the ransomware that targeted the US Colonial Pipeline, for instance, claimed they were targeted by law enforcement officials shortly after their major attack.

Other security specialists are speculating that it’s more likely to be hardware-related or even self-initiated. Ransomware and malware specialist Lawrence Abrams has suggested as much, claiming the disappearance could be part of a rebranding effort. He later added that LockBit ransomware representatives claim the authorities targeted one of REvil’s servers, which was subsequently wiped. REvil’s spokesperson, Unknown, was then also banned on the widely visited Russian-speaking hacking forum XSS.

Another cyber security expert, Kevin Beaumont, has claimed that such a disappearance isn’t too unusual, with different groups likely to have stability issues due to the way they operate. While it’s possible that law enforcement agencies targeted the group, it’s equally likely that REvil has had an internal falling out or hardware failure, he added. 

In a later tweet, Beaumont reported that according to chatter on the dark web, REvil has performed an exit scam, and so has been purged from the internet. In cyber crime terms, an exit scam involves a group ceasing operating for its clients, by claiming that their databases were seized, for example, before walking away with deposits and providing their clients with nothing in exchange. 

One well-known exit scam involved Jokeroo ransomware in 2019, in which the RaaS site claimed their servers were seized by the Royal Thai Police (RTP) alongside Europol and the Dutch National Police (DNP). Researchers, at the time, reached out to all three agencies, with Europol denying it was involved in any operation, according to Binary Defence

Cyber security specialist with Eset, Jake Moore, has suggested the shutdown could be the result of enforcement action, with the increasing scale and breadth of new and improving police tactics starting to take effect.

“With recent state of the art techniques used to target displacing the money in other operations, it is clear that the police are beginning to turn the tide and fight back on digital crime,” he said.

“Although the detail in such law enforcement tactics still remains unknown to the public, it highlights the police are continuing to grow in their operations and fight from different angles. However, this setback for REvil will unlikely deter them completely, if anything, it may spur them on more.”

Steve Moore, from Exabeam, added that If the outage is the result of an offensive response, this then sends a message to these groups that they have a limited window in which to work. 

“If a nation responds to criminals backed by and hosted in another country, this will change the definition of risk for affected private organisations,” he continued. “The question becomes, who is and isn’t ready to participate in this new theatre?  If a nation engages in offensive ‘hack back’ operations, then to what degree should they defend private companies as well – which is arguably more valuable?” 

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

New ransomware group is attacking US firms and educational establishments
ransomware

New ransomware group is attacking US firms and educational establishments

15 Jul 2021
Interpol calls for more action to prevent "ransomware pandemic"
cyber security

Interpol calls for more action to prevent "ransomware pandemic"

13 Jul 2021
84% of organizations experienced phishing or ransomware attacks in the last year
ransomware

84% of organizations experienced phishing or ransomware attacks in the last year

12 Jul 2021
Best ransomware removal tools
ransomware

Best ransomware removal tools

9 Jul 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021