August 8, 2022

Dark websites linked to the ransomware gang REvil were down Tuesday morning, CNBC has confirmed.

It’s not clear what caused the ransomware-as-service group’s websites to go down on Tuesday. Visitors to the last active sites were greeted with the message “A server with the specified host name could not be found”.

The disappearance of the publicly accessible sites associated with Russia-affiliated REvil, also known as Sodinokibi, follows an international ransomware outbreak on July 2 that the group was held responsible for.

A National Security Council official declined to comment on Tuesday morning to CNBC.

On Friday, President Joe Biden was asked by a reporter whether it “makes sense” for the United States to attack the computer servers that have hosted ransomware attacks.

“Yes,” replied Biden.

A National Security Council official told reporters later that day that US authorities expected action against ransomware groups soon.

“We will not telegraph what exactly these actions will be,” said the official.

“Some of them will be manifest and visible, others may not. But we expect them to take place in the days and weeks to come.”

Zoom In Icon Arrows pointing outwards

John Hultquist of Mandiant Threat Intelligence told CNBC on Tuesday, “The situation is still developing, but there is evidence that REvil has suffered planned simultaneous destruction of its infrastructure, either by the operators themselves or by industry or law enforcement action .

“If it was a disruption operation, all the details may never be revealed,” Hultquist added in an email.

He also said analysis shows that “known websites associated with the REvil ransomware RaaS are offline or unresponsive.”

“REvil’s darknet (.onion) and clearnet (decoder.re) websites are offline, and while we can’t see exactly how their darknet sites were shut down, the domain of their clearnet site simply stopped being in an IP address and its dedicated name to resolve servers are still online, “said Hultquist.

CNBC policy

Read more about CNBC’s political coverage:

In addition to the July 2 attack, the REvil group reportedly also recently attacked JBS computers, causing the world’s largest meat packaging company to cease operations in the US for a day in June and also to interrupt operations in Australia.

JBS paid the equivalent of $ 11 million in ransom to get the gang to reverse the attack.

Bleeping Computer’s Lawrence Abrams tweeted earlier Tuesday that the REvil sites were down.

Several cybersecurity officials later confirmed this report to CNBC.

Ransomware attacks involve malware that encrypts files on a device or network, causing the system to become inoperable. Criminals behind such cyberattacks usually request payment in exchange for the release of data.

The FBI previously warned victims of ransomware attacks that paying a ransom could encourage further malicious activity.

The latest ransomware attack, announced earlier this month by Florida-based software provider Kaseya, spread to at least six European countries, breaking the networks of thousands in the United States.

In May, a hacking group called DarkSide with alleged links to Russian criminals launched a ransomware attack on the Colonial Pipeline, forcing the US company to shut down a pipeline roughly 5,500 miles long.

It cut fuel supplies to the east coast by nearly half, causing fuel shortages in the southeast and disruption to airlines. Colonial Pipeline paid a $ 5 million ransom to the cyber criminals to restart operations.

A few weeks after the attack, US law enforcement agencies were able to recover $ 2.3 million worth of bitcoins from the hacking group.