BOOK THIS SPACE FOR AD
ARTICLE ADSecurity researchers are reporting that all of the dark web sites for prolific ransomware group REvil -- including the payment site, the group's public site, the 'helpdesk' chat and their negotiation portal -- are offline.
It is still unclear what caused the outages but dozens of theories were floated online. On Friday, US President Joe Biden made news when he said he spoke directly to Russian President Vladmir Putin following REvil's massive ransomware attack on Kaseya that affected almost 1,500 organizations.
"I made it very clear to him that the United States expects when a ransomware operation is coming from his soil, even though it's not sponsored by the state, we expect them to act if we give them enough information to act on who that is," Biden said.
"And secondly, we've set up a means of communication now on a regular basis to be able to communicate with one another when each of us thinks something is happening in another country that affects the home country. And so it went well. I'm optimistic."
White House officials are expected to meet with members of the Russian government to discuss ransomware this week.
While some security researchers believe the group may have taken their own websites down, either because of internal squabbles or fear over increased law enforcement scrutiny, others think it may be the result of official actions taken by government agencies.
"We all want to believe it is law enforcement, but this is a pretty extensive takedown across multiple providers," said Allan Liska, a ransomware expert and CSIRT at Recorded Future.
"This early on the more likely scenario is that it is a self-directed takedown. But I wouldn't rule out 'self-directed after a conversation with the Kremlin.' We've been speculating about this since the Kaseya attack: Biden gets a win because a major ransomware gang is gone, Putin gets a win because he 'helped' and REvil gets to keep all of their money (and their heads). The timing, the day before the next ransomware summit tomorrow, also lines up. But, that is all speculation."
Others, like Check Point Software spokesperson Ekram Ahmed, compared the situation to the DarkSide ransomware group, which shut down its operations in May after their attack on Colonial Pipeline drew global headlines and outrage in the US. DarkSide also saw some of its infrastructure disrupted by US law enforcement agencies after the attack.
"Though it might be too early to celebrate, another viable possibility is that the ransomware gang has decided to lay low, given all the attention and spotlight they've underwent recently from the Kaseya, Colonial Pipeline and JBS attacks," Ahmed explained.
"It's possible that REvil has gone into 'retirement', or at least a temporary one, as they did with the GandCrab ransomware a few years ago."
REvil has attacked at least 360 US-based organizations this year, according to Emsisoft threat analyst Brett Callow. The RansomWhere research site says the group has brought in more than $11 million this year, with high profile attacks on Acer, JBS, Quanta Computer and more.
Egnyte cybersecurity evangelist Neil Jones said people should be wary of celebrating the group's potential downfall because new ransomware infrastructure can be brought online quickly.
Steve Moore, chief security strategist at Exabeam, theorized that the outage "could be criminal maintenance, planned retirement, or, more likely, the result of an offensive response to the criminal enterprise."
"If the outage is the result of an offensive response, this then sends a new message to these groups that they have a limited window in which to work," Moore said. "Furthermore, if a nation responds to criminals backed by and hosted in another country, this will change the definition of risk for affected private organizations."