REvil vanishes from the web without a trace

The notorious ransomware gang REVil, also known as Sodinokibi, has disappeared from the internet, with its entire web presence rendered offline.

REvil has carved a reputation in recent years as being highly prolific, unafraid of targeting massive companies and demanding increasingly eye-watering sums of money following its attacks. The firm also licenses its malware in a form of ransomware as a service (RaaS) operating model.

According to various security researchers, the group’s servers and its payment sites are down, while its public spokesperson, who goes by 'Unknown', hasn’t been active since last Thursday. It’s too early to tell how or why all traces of REvil has vanished, and researchers are urging caution as speculation runs rife.

The shutdown is particularly strange given the timing, with REvil only days ago launching a massive attack against Kaseya that is said to have affected 1,500 businesses, with the group demanding a $70 million ransom in exchange for providing the universal decryption key. REvil also recently targeted Apple, threatening to release hardware schematics, and last year claimed to have made $100 million from its activities.

“It would seem that everything is down for REvil (landing page, payment, ‘helpdesk’ chat),” said Exabeam’s chief security strategist, Steve Moore.

“This outage could be criminal maintenance, planned retirement, or, more likely, the result of an offensive response to the criminal enterprise – we don’t know.

In the absence of a definitive answer, speculation is rife on social media and within the cyber security community as to what might have caused this shutdown, with US-led enforcement action one of the prevailing theories. The operators behind the ransomware that targeted the US Colonial Pipeline, for instance, claimed they were targeted by law enforcement officials shortly after their major attack.

Other security specialists are speculating that it’s more likely to be hardware-related or even self-initiated. Ransomware and malware specialist Lawrence Abrams has suggested as much, claiming the disappearance could be part of a rebranding effort. He later added that LockBit ransomware representatives claim the authorities targeted one of REvil’s servers, which was subsequently wiped. REvil’s spokesperson, Unknown, was then also banned on the widely visited Russian-speaking hacking forum XSS.

Another cyber security expert, Kevin Beaumont, has claimed that such a disappearance isn’t too unusual, with different groups likely to have stability issues due to the way they operate. While it’s possible that law enforcement agencies targeted the group, it’s equally likely that REvil has had an internal falling out or hardware failure, he added.

In a later tweet, Beaumont reported that according to chatter on the dark web, REvil has performed an exit scam, and so has been purged from the internet. In cyber crime terms, an exit scam involves a group ceasing operating for its clients, by claiming that their databases were seized, for example, before walking away with deposits and providing their clients with nothing in exchange.

One well-known exit scam involved Jokeroo ransomware in 2019, in which the RaaS site claimed their servers were seized by the Royal Thai Police (RTP) alongside Europol and the Dutch National Police (DNP). Researchers, at the time, reached out to all three agencies, with Europol denying it was involved in any operation, according to Binary Defence.

Cyber security specialist with Eset, Jake Moore, has suggested the shutdown could be the result of enforcement action, with the increasing scale and breadth of new and improving police tactics starting to take effect.

“With recent state of the art techniques used to target displacing the money in other operations, it is clear that the police are beginning to turn the tide and fight back on digital crime,” he said.

“Although the detail in such law enforcement tactics still remains unknown to the public, it highlights the police are continuing to grow in their operations and fight from different angles. However, this setback for REvil will unlikely deter them completely, if anything, it may spur them on more.”

Steve Moore, from Exabeam, added that If the outage is the result of an offensive response, this then sends a message to these groups that they have a limited window in which to work.

“If a nation responds to criminals backed by and hosted in another country, this will change the definition of risk for affected private organisations,” he continued. “The question becomes, who is and isn’t ready to participate in this new theatre? If a nation engages in offensive ‘hack back’ operations, then to what degree should they defend private companies as well – which is arguably more valuable?”