A Russia-based hacking group believed to be responsible for a massive ransomware attack went offline on Tuesday, sparking speculation about whether the move was the result of government-led action.
The group known as REvil’s “Dark Web” site disappeared about two weeks after an attack that crippled the networks of hundreds of companies around the world and triggered a $ 70 million ransom note.
“REvil has apparently disappeared from the dark web because its website went offline,” tweeted Allan Liska, a security researcher with Recorded Future, who found that the website stopped responding from around 0500 GMT.
The news comes after US President Joe Biden reiterated a warning to his Russian counterpart Vladimir Putin late last week to harbor cybercriminals while suggesting Washington could take action in the face of increasing ransomware attacks.
Analysts have indicated in the past that the U.S. military’s cyber command has the ability to repel hackers in the face of threats to national security, but there has been no official word on such an action.
“The situation is still evolving, but there is evidence that REvil has suffered a planned, simultaneous dismantling of its infrastructure, either by the operators themselves or through industry or law enforcement,” said John Hultquist of Mandiant Threat Intelligence in a statement sent by email.
“If this was a disruption operation, all of the details may never come to light.”
Brett Callow from the security company Emsisoft also pointed out unanswered questions.
“Whether the failure is the result of law enforcement action is unclear,” Callow said.
“If law enforcement managed to disrupt the gang’s operations it would be a good thing, of course, but it could cause problems for any company whose data is currently encrypted. They wouldn’t have the option to pay REvil for the key, which is needed to decrypt your data. ” Data.”
James Lewis, director of technology and public order at the Washington Center for Strategic and International Studies, said the website may be unavailable for a number of reasons, including pressure from Russian authorities.
“I don’t think it was us,” he said.
Liska noted that the ownership of the site has not changed, making the domain less likely to be confiscated. “This could suggest the takedowns are self-directed (too early to say),” he said.
The unprecedented attack on the US software company Kaseya affected an estimated 1,500 companies.
The Kaseya attack, reported on July 2, crippled a large Swedish supermarket chain and ricocheted around the world, affecting businesses in at least 17 countries, from pharmacies to gas stations, as well as dozen of New Zealand kindergartens.
