“All REvil sites are down, including the payment sites and the data leak site,” tweeted Lawrence Abrams, creator of the information security blog BleepingComputer. General ransomware gang representative [sic]unknown, strangely quiet.”
Ransomware works by securing a computer network, stealing data and encrypting it until victims agree to pay a fee.
Those who refuse can find their leaked information online. In recent years, ransomware gangs have hunted down hospitals, universities, police departments, city governments, and a wide range of other targets.
A familiar source told CNN that the House Intelligence Committee has not been briefed on the reason for Revell’s disappearance. “No comment,” said an aide to the Senate Intelligence Committee when asked if the committee had been briefed on the situation.
REvil took $11 million from victims while operating, according to cryptocurrency payment tracker Ransomwhere.
The sudden disappearance of the group sparked widespread speculation about what might have happened. Theories range from a planned system disruption to a coordinated government strike. But at this point, experts are still guessing. The FBI and US Cyber Command declined to comment on whether they were involved.
“This outage could be a criminal maintenance, a planned retirement, or, more likely, the result of an offensive response to the criminal enterprise — we don’t know,” said Steve Moore, chief security strategist at cybersecurity firm Exabeam.
Dmitriy Alperovitch, president of the Silverado Policy Accelerator think-tank and co-founder of cybersecurity firm CrowdStrike, hypothesised that Western governments might pressure Internet infrastructure companies not to complete web browser requests for REvil sites. (Alperovitch is no longer working on CrowdStrike.)
Drew Schmidt, lead threat intelligence analyst at GuidePoint Security, cautioned that while the inability to connect to REvil sites might be a potential indicator of law enforcement involvement, it doesn’t conclusively prove it.
“Last week, Revell crashed a little bit as well,” he told CNN.
REvil is among the most prevalent ransomware attackers, according to cybersecurity firm CheckPoint. CheckPoint spokesperson Ikram Ahmed said that in the past two months alone, Revell has carried out 15 attacks per week.
Ahmed added that given the interest it generated, REvil may have voluntarily chosen to stay low for a while. “We recommend not jumping to any immediate conclusions because it’s still early days, but REvil is indeed one of the most ruthless and creative ransomware gangs we’ve seen.”
Anne Neuberger, the White House’s chief Internet officer, was traveling with Biden on Tuesday, although the reasons for her escorting the president to Philadelphia were not clear. A White House spokesman did not immediately respond to a request for comment.