REvil Gang Site Disappears, Could US Cyber Troops Attack?

JAKARTA - A dark website linked to the REvil ransomware gang, Tuesday July 13th, was seen to be inoperable. This has been confirmed by CNBC.

It's not clear what caused the ransomware-as-service group's website to go down last Tuesday. Site visitors, who were recently active, are greeted with a message that says, "The server with the specified hostname could not be found."

The disappearance of the Russian-linked REvil-affiliated public site, also known as Sodinokibi, comes after an international ransomware outbreak hit on July 2.

On Friday, July 9, US President Joe Biden was asked by a reporter, "does it make sense for the United States to attack computer servers that host ransomware attacks?". "Yes," Biden answered, firmly.

A National Security Council official on the same day also told reporters that US authorities were expected to take immediate action against the ransomware group. However, they did not specify what action to take.

“We are not going to send a telegram as to what exactly the action is. Some of them will be real and visible, some of them may not. But we hope that action will take place in the next few days and weeks," the official said.

After the statement appeared, not long after the site associated with the REvil gang disappeared.

"The situation is still ongoing, but evidence suggests REvil has undergone a concurrent, planned, deletion of their infrastructure, either by the operators themselves or through industry or law enforcement action," John Hultquist of Mandiant Threat Intelligence told CNBC on Tuesday, July 13. "If this had been a tampering operation, the full details would probably never have been revealed."

He also said there was analysis showing that websites known to be linked to the REvil ransomware RaaS are either offline or unresponsive.

“Revil's darknet (.onion) and clearnet (decoder.re) websites are offline, and although we can't see exactly how those darknet sites have been removed, their clearnet sites' domains have stopped resolving to their IP addresses and special names. But the servers are still online," Hultquist said.

In addition to the July 2 attacks, the REvil group is also believed to have recently attacked JBS computers, forcing the world's largest meat-packing company to shut down operations in the United States for one day in June, as well as disrupting operations in Australia.

JBS paid a ransom equivalent to US$11 million for the gang to call off the attack.

Lawrence Abrams of Bleeping Computer had also tweeted earlier Tuesday that the REvil site was down. Several cybersecurity officials later confirmed the report to CNBC.

Previously, the FBI had also warned victims of ransomware attacks that paying the ransom was futile, as it could encourage the malicious activity further.

The latest ransomware attack, revealed earlier this month by Florida-based software provider Kaseya. The attack spread to at least six European countries and penetrated thousands of networks across the United States.

In May, a hacking group known as DarkSide with alleged ties to Russian criminals also launched a ransomware attack on the Colonial Pipeline, forcing US companies to close about 5,500 miles of pipeline.

This caused the disruption of nearly half of the East Coast's fuel supply and led to gasoline shortages in the Southeast and flight disruptions. Colonial Pipeline paid a $5 million ransom to cybercriminals to restart operations.

A few weeks after the attack, US law enforcement officials were able to recover $2.3 million in bitcoins from the hacker group.