Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Sites run by ransomware gang REvil vanish from dark web

Last updated

A number of websites and backend online infrastructure run by Russia-linked ransomware gang REvil, responsible for a number of attacks including a breach of Apple supplier Quanta, went offline on Tuesday, according to security experts.

REvil's public dark web portal, which the group used to communicate with and collect funds from victims of cyberattacks, went offline without warning early Tuesday, reports Politico.

Further, the infrastructure that the group used to control their various operations is also down, according to intelligence analyst Allan Liska. REvil's spokesperson, who goes by the "Unknown," "hasn't been active on message boards since last Thursday," Liska said according to the report.

It is not clear why the sites are down or who, if anyone, is responsible. As noted in the report, ransomware gangs sometimes wind down operations, as Russian cybercrime clan DarkSide did following its raid of Colonial Pipeline in May.

"The situation is still unfolding, but evidence suggests REvil has suffered a planned, concurrent takedown of their infrastructure, either by the operators themselves or via industry or law enforcement action," John Hultquist, director of the FireEye Mandiant Threat Intelligence team, told CNBC. "REvil's darknet (.onion) and clearnet (decoder.re) websites are offline, and although we have no visibility into exactly how their darknet sites have been taken down their clearnet site's domain has simply ceased resolving to an IP address and its dedicated name servers are still online."

The deactivation comes days after President Joe Biden said it would make sense to strike against servers that have hosted ransomware attacks. There is no evidence that the U.S., Russia or other nation took action against REvil.

REvil previously targeted meat processing company JBS, extracting $11 million in return for stolen data. In April, the group threatened to leak "confidential drawings of personal data with several major brands" after hacking systems owned by Apple partner Quanta. Quanta was at one point in talks to pay out $20 million.

Most recently, REvil attacked IT management firm Kaseya, a company that provides remote support and software update support for thousands of businesses around the world. The group demanded $70 million for a universal decryptor that would unlock all computers and terminals affected by the breach.

Keep up with everything Apple in the weekly AppleInsider Podcast — and get a fast news update from AppleInsider Daily. Just say, "Hey, Siri," to your HomePod mini and ask for these podcasts, and our latest HomeKit Insider episode too.

If you want an ad-free main AppleInsider Podcast experience, you can support the AppleInsider podcast by subscribing for $5 per month through Apple's Podcasts app, or via Patreon if you prefer any other podcast player.



9 Comments

lkrupp 19 Years · 10521 comments

So now victims of REvil are wondering how they are going to pay the ransom to get their data back. I’d love to think the U.S. Cyber Command took them out but it was likely Putin in my uniformed opinion. There’s also speculation that REvil will pop up again under a different name. In either event NO ONE is going to talk about how this went down or who did it. It’s cloak and dagger stuff, cyber cold war shenanigans.

dewme 10 Years · 5775 comments

They should’ve known not to mess with our meat.

GeorgeBMac 8 Years · 11421 comments

dewme said:
They should’ve known not to mess with our meat.

They've been doing that since we messed with theirs.

GeorgeBMac 8 Years · 11421 comments

lkrupp said:
So now victims of REvil are wondering how they are going to pay the ransom to get their data back. I’d love to think the U.S. Cyber Command took them out but it was likely Putin in my uniformed opinion. There’s also speculation that REvil will pop up again under a different name. In either event NO ONE is going to talk about how this went down or who did it. It’s cloak and dagger stuff, cyber cold war shenanigans.
True!  We will likely never know.
But these supposed independent, free-lancers (which take multiple forms -- from volunteers invading Ukraine to propaganda outlets) operate under the watchful eye, guidance and support of Putin's security forces.

We should just ask Vladimir what he intends.  Ultimately, he's the boss.

verne arase 11 Years · 479 comments

Good.

I hope they were the victim of a covert action team, and they disappear from the face of the earth.

That's the only type of action which would make others think twice about trying something similar, if the home government (Russia) won't take action against criminals operating from within their borders.