Currently, the official website of the REvil group along with its chat and payment gateways are offline.
A few days ago, we saw how the REvil group, believed to be located in Russia conducted one of the largest cyberattacks against Kaseya, a software company located in the U.S.
The group demanded a record-breaking $70 million with more than 1500 businesses being impacted. All of this was sure to attract the attention of the White House and it really did.
The U.S President, Joe Biden issued a statement warning Russian President Vladimir Putin to take action against the attackers with no clear indications on what would follow otherwise. In his words,
“I made it very clear to him that the United States expects when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is.”
However, it seems that the warnings have worked since just yesterday, it has been found out that all instances of the REvil group’s presence on the web have been taken offline.
These include multiple websites both on the dark web (as shown above) and surface web comprising a website named decoder.re, chat, payment windows, and all other websites believed to be run by them.
Furthermore, as shown below, the group was also banned from a Russian cybercriminal forum named XSS:
In light of previous incidents, the forum bans users when it suspects that they may have fallen under police control. This is very similar to how things went for the DarkSide group where their infrastructure too was taken offline following an attack on a US pipeline.
It’s not clear though if this is the work of the Russian government or if the group themselves have chosen to suddenly go offline. To make matters more ambiguous, Dmitry Peskov, the press secretary of Putin has stated that he was not aware of the outage and therefore did not comment as reported by Bloomberg.
To conclude, we are yet to know if the Russian government will take responsibility for the take-down. Although that may be conciliatory for both governments, it will cement the fact that Russia has been for long allowing cybercriminals to operate under its jurisdiction while looking the other way.
This isn’t true only for them, other countries including the USA are well known to engage in state-sponsored attacks and allowing criminals to continue operating under them as well. Nevertheless, in the future, it is also possible that the REvil group re-brands and comes back under another name.