Russian gang blamed for global ransomware attack vanishes from web

The ransomware hacker gang REvil’s websites are offline, about a week and a half after the group’s cyberattack on IT software vendor Kaseya allowed the criminals to breach hundreds of companies around the world.

As of Tuesday morning, the group’s public website, the dark-web portal that facilitated its ransom negotiations with victims and the site that victims used to pay those ransoms were offline.

In addition to REvil’s websites, “all of their infrastructure” used to control their hacking operations is also dark, said Allan Liska, an intelligence analyst who tracks ransomware for the cybersecurity firm Recorded Future.

REvil’s public spokesperson, who goes by the pseudonym “Unknown,” “hasn’t been active on message boards since last Thursday,” Liska said.

Cause unknown: It is unclear why REvil’s public presence has disappeared or whether the outage is permanent or temporary. Ransomware gangs sometimes suffer from internal squabbles that disrupt their operations. The Russian cybercrime gang DarkSide announced that it was ceasing operations shortly after it hacked Colonial Pipeline in May, a breach that caused temporary fuel shortages in the U.S. and raised alarms about cyberattacks on critical infrastructure.

President Joe Biden recently vowed to take action against REvil and other Russian-based ransomware gangs if Moscow did not do so itself.

The National Security Council declined to comment on the REvil outage, which Bloomberg first reported. CISA and the FBI did not immediately respond to requests for comment.