REvil Sites Go Dark
REvil's Dark Web sites wnet offline on early Tuesday morning. It may be due to the ransomware gang getting caught or whether the group did it on purpose. v This came just days after President Biden demanded that Russian President Putin shut down ransomware groups. All of REvil's sites went offline as of around 1 a.m.
The REvil ransomware operation, also known as Sodinokibi, uses both normal and Dark Web sites to negotiate ransoms, leak data, support its backend infrastructure and receive payment from its many victimi. The list has grown with the addition of Kaseya and its many managed service provider customers, as well as the global meat supplier JBS Foods.
The shutdown could be because the U.S. shut down the servers. It may also be the Russian government, given the White House's demand to Russia over the ransomware plague. The dead servers come just a few days after President Biden called President Vladimir Putin and demanded that he shut down ransomware groups attacking American targets.
Jake Williams, co-founder said that the ransomware gangs were operating in Russia were on borrowed time the second Colonial was hit. Colonial Pipeline was hit with ransomware right before Memorial Day Weekend. The attack was attributed to the ransomware-as-a-service DarkSide. Drew Schmitt, principal threat intelligence analyst for GuidePoint Security thinks the lack of DNS response is an indicator that law enforcement were involved. It could also be a short outage and only time will tell what is actually going on.
Even if law-enforcement agencies have successfully targeted REvil, it won't be the end of the group's activities. Some thiink that the group will reappear under another name or split into smaller groups to attract less attention. Regardless of whether it's a permanent shutdown or a temporary shut-up, REvil's downed servers is still good news. If it's a government takedown, great, they're taking action. If the group voluntarily went quiet, it shows that they maybe scared.