After wreaking havoc in the corporate world, the notorious REvil ransomware suddenly went offline. Neither its traces appear on its dark web site, nor has it maintained any representation on cybercrime forums.
REvil Ransomware Went Offline
Reportedly, the infamous REvil ransomware gang has apparently gone offline for unknown reasons. While similar disruptions had happened with REvil sites in the past too, what’s unique this time is the simultaneous closure.
According to Bleeping Computer, the ransomware sites went offline sometime the night before July 13, 2021. The gang’s .onion site displayed the error “This site can’t be reached” upon attempting to visit.
Whereas Vitali Kremez observed that LockBit ransomware hinted about REvil receiving a government subpoena.
#LockBit Ransomware-as-a-Service Support (#REvil competitor): “Upon uncorroborated information, REvil server infrastructure received a government legal request forcing REvil to completely erase server infrastructure and disappear. However, it is not confirmed”
— Vitali Kremez (@VK_Intel) July 13, 2021
Though it remains unconfirmed, another evidence backing the hypothesis of the gang’s departure (or seizure, maybe?) comes from the banning of REvil’s representative by the cybercrime forum XSS.
As Kremez told Bleeping Computer,
As a rule of thumb, the administration of the top forums bans its users when they are suspected of being under the police control.
Has REvil Shut Down?
It isn’t presently clear if REvil has departed for good or is merely facing a temporary outage. However, given the unwarranted attention the ransomware caught after a wobbly Kaseya zero-day exploit, it isn’t unlikely for the threat actors to disappear.
Also, recently, the US had threatened Russian authorities to “take care of” the ransomware gangs operating within, or the Us would handle them.
Although the FBI hasn’t currently commented anything about a potential crackdown of REvil, the authorities might likely have disrupted the technical infrastructure. Recently, the DarkSide gang faced a similar fate in the wake of the Colonial Pipeline incident.
After that, the Avaddon gang shut down its business and released decryption keys in a bid to escape.
However, ruling out a REvil comeback isn’t also feasible for now. Recently, the Babuk ransomware also reappeared after briefly going offline following the DC Police attack. Even the REvil ransomware emerged quickly from roughly the same threat actors who earlier operated Gandcrab.
Hence, it remains unclear if REvil has disappeared for good or has taken a temporary break for now.