REvil, the ransomware gang that attacked meat supplier JBS Foods this spring and a major IT software vendor this month, has mysteriously vanished from the internet, according to cybersecurity experts tracking the group.
Websites and other infrastructure belonging to the cybercriminal gang, which is believed to operate from Eastern Europe or Russia, went dark on Tuesday as close observers of the group found they were unable to connect to REvil’s web page listing its victims.
Others said they were unable to connect to the sites REvil uses to communicate with victims and collect ransom payments.
“All REvil sites are down, including the payment sites and data leak site,” tweeted Lawrence Abrams, creator of the information security blog BleepingComputer. “The public ransomware gang represenative [sic], Unknown, is strangely quiet.”
The reasons for REvil’s disappearance were not immediately clear, but it follows a raft of high-profile hackings by the group that seized control of computers around the world. It also comes after President Joe Biden said he warned his Russian counterpart Vladimir Putin there would be consequences if Moscow failed to address the ransomware attacks emanating from within its borders.
The Biden administration has increasingly identified ransomware as a threat to national and economic security, highlighting its potential to disrupt critical infrastructure that Americans depend on.
Ransomware works by locking down a computer network, stealing and encrypting data until victims agree to pay a fee.
Those who refuse can find their information leaked online. In recent years, ransomware gangs have gone after hospitals, universities, police departments, city governments, and a wide range of other targets.
A source familiar told CNN the House Intelligence Committee has not been briefed on what caused REvil to go dark. An aide with the Senate Intelligence Committee said “no comment” when asked if that committee had been briefed on the situation.
Over the July 4 holiday weekend, cybersecurity experts said REvil was responsible for an attack on Kaseya, an IT software company that indirectly supports countless small businesses including accounting firms, restaurants and dentists’ offices.
REvil claimed credit for the attack, demanding an eye-popping $70 million ransom to release the affected machines. US officials have also said REvil was behind the attack on JBS, one of the world’s largest meatpacking companies.
REvil has obtained $11 million from victims in the course of its operation, according to the cryptocurrency payments tracker Ransomwhere.
The group’s sudden disappearance has prompted widespread speculation about what may have occurred. Theories range from planned system downtime to a coordinated governmental strike. But at this stage, experts are still guessing. The FBI and US Cyber Command declined to comment on whether they may have been involved.
“This outage could be criminal maintenance, planned retirement, or, more likely, the result of an offensive response to the criminal enterprise – we don’t know,” said Steve Moore, chief security strategist at the cybersecurity firm Exabeam.
Dmitri Alperovitch, chairman of the think tank Silverado Policy Accelerator and co-founder of the cybersecurity firm CrowdStrike, hypothesized that Western governments may be pressuring internet infrastructure companies not to complete web browser requests for REvil’s sites. (Alperovitch no longer works at CrowdStrike.)
Drew Schmitt, principal threat intelligence analyst at GuidePoint Security, cautioned that while an inability to connect to REvil’s sites may be a potential indicator of law enforcement involvement, it doesn’t prove it conclusively.
“Last week REvil’s site was down for a bit as well,” he said in a statement to CNN.
REvil is among the most prolific ransomware attackers, according to the cybersecurity firm CheckPoint. In the last two months alone, REvil conducted 15 attacks per week, CheckPoint spokesman Ekram Ahmed said.
Given the attention it has generated, REvil may have voluntarily chosen to lay low for a while, Ahmed added. “We recommend not jumping to any immediate conclusions as it’s early, but REvil is, indeed, one of the most ruthless and creative ransomware gangs we’ve ever seen.”
Anne Neuberger, the top White House cyber official, was traveling with Biden on Tuesday, though her reasons for accompanying the president to Philadelphia were not clear. A White House spokesperson didn’t immediately respond to a request for comment.