There has been a rumor going around the cybersecurity circles that REvil, the notorious ransomware gang behind some of the largest attacks hitting Kaseya and other high-profile targets, has been taken down. The speculations came after the data leak site, the extortion site and the payment portals related to the threat had vanished from the dark web.
REvil’s dark web infrastructure consists of twenty two data hosting sites and one data leak blog. An error notice reading “Onionsite not found” is greeting those who are trying to access the platforms.
While it isn’t still clear what is the reason of the ransomware gang vanishing out, it’s possible that the outage was caused by a takedown of the entire infrastructure, security professionals suggest.
REvil first emerged on the threat landscape in April 2019, and to this date is one of the most lucrative ransomware-as-a-service (RaaS) gangs. The malware is an upgrade to the notorious GandCrab ransomware which was actively hitting the underground marketplaces back in 2018.
Following the news about the REvil’s vanishing, security professionals commented that if the RaaS infrastructure has been permanently taken down, this will signify the end of a gang responsible for more than 360 attacks on the U.S. public and commercial sectors in 2021 alone.
The sudden vanishing of REvil from the ransomware scene comes just after a global supply chain ransomware attack aimed at a renown Tech services provider Kaseya, who was targeted and blackmailed for a $70 million ransom in return for a universal decryption key that would free everyone’s encrypted data.
More details on the surprising shutdown reveal that REvil’s Happy Blog has been taken down on Tuesday, around 1AM EST. The hacking group’s spokesperson, nicknamed as “Unknown”, has not been spotted posting on popular hacking forums since July 8th.
While this, in general, sounds like good news for everyone, some security professionals are noting that it is common for ransomware groups to deliberately step back from the spotlight after hitting high-profile targets for a while just to reappear with a new strategy when least expected.
If REvil unexpectedly went down, it might be because it is retooling or transitioning to a new name to avoid attracting unwanted attention, or it could be because it was hobbled by heightened worldwide scrutiny related to the global ransomware epidemic.
If this proves out to be true, it will most certainly leave the group’s targets stranded, with no possible way to obtain access to the decryption keys required to restore control of their systems. This will result in a lock-out of their data and, thus, a permanent change to their circumstances.