Jul 13, 2021 - Technology

Russian ransomware group's dark web sites mysteriously go down

Illustration of a poison symbol made of binary code, over water.

Illustration: Brendan Lynch/Axios

Dark web sites tied to the Russian-based cyber gang REvil were not operating on Tuesday, just two weeks after the group launched a large-scale ransomware campaign that affected more than 1,500 companies around the world, according to CNBC.

Why it matters: It's unclear whether the sites — which REvil uses to facilitate its ransom negotiations — are down because of a technical problem, a law enforcement operation, or some other explanation. The group's public spokesperson has also been silent on message boards since last week, according to Politico.

  • President Biden called Russian President Vladimir Putin on Friday to demand that he crack down on cyber gangs operating in Russia.
  • He warned that the U.S. would take action to "defend its people" against ransomware attacks, and suggested that could include taking the hackers' servers offline.

Flashback: DarkSide, another Russia-based hacking group, ceased operations after it shut down the Colonial Pipeline during a ransomware operation, leading to widespread gas shortages in the U.S. for several days.

  • The Department of Justice later announced that U.S. investigators gained access to the infrastructure DarkSide used to carry out its extortion operations and recovered part of the ransomware payment the pipeline gave the group to regain access to its computers.

Yes, but: Security experts have said that cyber criminal groups sometimes disband and return under different names, and it therefore currently can't be determined if the disruption to REvil's web sites is permanent.

The big picture: The full extent of REvil's most recent ransomware operation is still unknown.

  • The group was responsible for several other prominent ransomware attempts, including one that forced major meat supplier JBS to briefly shut down its beef plants across the U.S.
  • REvil at one point was demanding $70 million to restore data they claimed for ransom through the July 4 weekend operation that targeted Kaseya software, though it's currently unknown how many companies made ransom payments.

Go deeper: Assessing the size of the Kaseya ransomware attack

Go deeper