Multiple REvil ransomware sites are down on the darkweb

Darkweb sites linked to the REvil ransomware gang were not operating Tuesday morning, CNBC has confirmed.

It is not clear what led to the websites of the ransomware-as-service group going down Tuesday.

Visitors to the sites, which had recently been active, were greeted with messages saying, “A server with the specified hostname could not be found.”

The disappearance of the public-facing sites affiliated with Russia-linked REvil, also known as Sodinokibi, comes on the heels of an international ransomware outbreak on July 2 that the group had taken credit for.

Last Friday, President Joe Biden was asked by a reporter if it “makes sense” for the United States to attack the computer servers that have hosted ransomware attacks.

“Yes,” Biden answered.

A National Security Council official later that same day told reporters that U.S. authorities expected to take action against ransomware groups soon

“We’re not going to telegraph what those actions will be precisely,” that official said.

“Some of them will be manifest and visible, some of them may not be. But we expect them to take place in the days and weeks ahead.”

John Hultquist of Mandiant Threat Intelligence told CNBC on Tuesday, “It may be too early to determine what is going on, and if this is an operation of some kind, full details may never come to light.”

“At any rate, it’s good to see REvil disrupted,” Hultquist added.

Biden and Merkel to discuss Afghanistan, cybersecurity and Nord Stream pipeline this week
‘We stand with the Cuban people’ – Biden backs protesters, urges regime to respect their rights
In addition to the July 2 attack, the REvil group also is believed to have recently attacked computers belonging to JBS, forcing the world’s largest meatpacking company to shut down operations in the United States for one day in June, and also disrupted operations in Australia.

JBS paid the equivalent of $11 million in ransom to get the gang to undo the attack.

Bleeping Computer’s Lawrence Abrams had tweeted earlier Tuesday that REvil sites were down

Several cybersecurity officials later confirmed that report to CNBC.

Ransomware attacks involve malware that encrypts files on a device or network that results in the system becoming inoperable. Criminals behind these types of cyberattacks typically demand a payment in exchange for the release of data.

The FBI has previously warned victims of ransomware attacks that paying a ransom could encourage further malicious activity.

The latest ransomware attack, disclosed earlier this month by Florida-based software provider Kaseya, spread to at least six European countries and breached the networks of thousands across the United States.

In May, a hacking group known as DarkSide with suspected ties to Russian criminals launched a ransomware attack on Colonial Pipeline, forcing the U.S. company to shut down approximately 5,500 miles of pipeline.

It led to a disruption of nearly half of the East Coast’s fuel supply and caused gasoline shortages in the Southeast and airline disruptions. Colonial Pipeline paid $5 million in ransom to the cybercriminals in order to restart operations.

A few weeks after the attack, U.S. law enforcement officials were able to recover $2.3 million in bitcoin from the hacker group.

Leave a Reply