Although the Russia-based criminal syndicate responsible for a series of ransomware attacks that have been devastating was down on Tuesday, cybersecurity experts stated that it was too early to speculate as to why and that there were no signs of an enforcement action.
Cybersecurity researchers stated that the dark web data-leak site of REvil and ransom-negotiating portals were impossible to reach. This group was responsible for the ransomware attack on JBS, a meat processor, and the attack on the software company Kaseya this month that left well over 1000 businesses crippled.
On Friday, President Joe Biden spoke to Vladimir Putin to urge him to stop the attacks by Russia-based terrorist groups. He also warned that the U.S. has the right to defend its citizens and vital infrastructure against attacks.
There were no public or immediate signs that REvil was being taken offline by the government. Ryan Sherstobitoff, SecurityScorecard threat researcher, said that it was possible for the group to be at ease after the attack or switch methods as we exposed them.
Sean Gallagher, a cybersecurity threat researcher at Sophos, said that “it could be that the server hardware failed” or that it was deliberately taken down or that someone attacked their host. He also noted that REvil’s public ransom-negotiating website was also down last Wednesday.
Spokespeople from the White House, U.S. CyberCommand (the Pentagon’s cyber arm) declined to comment Tuesday.
Alex Holden, the founder and chief information security officer at Hold Security said that there have been no signs of either voluntary shutdown or offensive actions by law enforcement. “It is possible that it is premature to speculate right now, given the fact that REvil has been growing in strength over recent months.”
He said, “There is always the glimmering hope that Russia is finally doing some right.”
Ransomware variants disappeared in the past because the criminals behind them modified and retooled their malware before introducing it under another guise. Threat analysts believe that this is what happened to the Gandcrab ransomware-as a-service precursor to the REvil ransomware variants. It was the most popular variant in a 15-month period that began in January 2018.