Sites run by ransomware gang REvil vanish from dark web
A number of websites and backend online infrastructure run by Russia-linked ransomware gang REvil, responsible for a number of attacks including a breach of Apple supplier Quanta, went offline on Tuesday, according to security experts.
REvil's public dark web portal, which the group used to communicate with and collect funds from victims of cyberattacks, went offline without warning early Tuesday, reports Politico.
Further, the infrastructure that the group used to control their various operations is also down, according to intelligence analyst Allan Liska. REvil's spokesperson, who goes by the "Unknown," "hasn't been active on message boards since last Thursday," Liska said according to the report.
It is not clear why the sites are down or who, if anyone, is responsible. As noted in the report, ransomware gangs sometimes wind down operations, as Russian cybercrime clan DarkSide did following its raid of Colonial Pipeline in May.
"The situation is still unfolding, but evidence suggests REvil has suffered a planned, concurrent takedown of their infrastructure, either by the operators themselves or via industry or law enforcement action," John Hultquist, director of the FireEye Mandiant Threat Intelligence team, told CNBC. "REvil's darknet (.onion) and clearnet (decoder.re) websites are offline, and although we have no visibility into exactly how their darknet sites have been taken down their clearnet site's domain has simply ceased resolving to an IP address and its dedicated name servers are still online."
The deactivation comes days after President Joe Biden said it would make sense to strike against servers that have hosted ransomware attacks. There is no evidence that the U.S., Russia or other nation took action against REvil.
REvil previously targeted meat processing company JBS, extracting $11 million in return for stolen data. In April, the group threatened to leak "confidential drawings of personal data with several major brands" after hacking systems owned by Apple partner Quanta. Quanta was at one point in talks to pay out $20 million.
Most recently, REvil attacked IT management firm Kaseya, a company that provides remote support and software update support for thousands of businesses around the world. The group demanded $70 million for a universal decryptor that would unlock all computers and terminals affected by the breach.
Keep up with everything Apple in the weekly AppleInsider Podcast -- and get a fast news update from AppleInsider Daily. Just say, "Hey, Siri," to your HomePod mini and ask for these podcasts, and our latest HomeKit Insider episode too.If you want an ad-free main AppleInsider Podcast experience, you can support the AppleInsider podcast by subscribing for $5 per month through Apple's Podcasts app, or via Patreon if you prefer any other podcast player.
REvil's public dark web portal, which the group used to communicate with and collect funds from victims of cyberattacks, went offline without warning early Tuesday, reports Politico.
Further, the infrastructure that the group used to control their various operations is also down, according to intelligence analyst Allan Liska. REvil's spokesperson, who goes by the "Unknown," "hasn't been active on message boards since last Thursday," Liska said according to the report.
It is not clear why the sites are down or who, if anyone, is responsible. As noted in the report, ransomware gangs sometimes wind down operations, as Russian cybercrime clan DarkSide did following its raid of Colonial Pipeline in May.
"The situation is still unfolding, but evidence suggests REvil has suffered a planned, concurrent takedown of their infrastructure, either by the operators themselves or via industry or law enforcement action," John Hultquist, director of the FireEye Mandiant Threat Intelligence team, told CNBC. "REvil's darknet (.onion) and clearnet (decoder.re) websites are offline, and although we have no visibility into exactly how their darknet sites have been taken down their clearnet site's domain has simply ceased resolving to an IP address and its dedicated name servers are still online."
The deactivation comes days after President Joe Biden said it would make sense to strike against servers that have hosted ransomware attacks. There is no evidence that the U.S., Russia or other nation took action against REvil.
REvil previously targeted meat processing company JBS, extracting $11 million in return for stolen data. In April, the group threatened to leak "confidential drawings of personal data with several major brands" after hacking systems owned by Apple partner Quanta. Quanta was at one point in talks to pay out $20 million.
Most recently, REvil attacked IT management firm Kaseya, a company that provides remote support and software update support for thousands of businesses around the world. The group demanded $70 million for a universal decryptor that would unlock all computers and terminals affected by the breach.
Keep up with everything Apple in the weekly AppleInsider Podcast -- and get a fast news update from AppleInsider Daily. Just say, "Hey, Siri," to your HomePod mini and ask for these podcasts, and our latest HomeKit Insider episode too.If you want an ad-free main AppleInsider Podcast experience, you can support the AppleInsider podcast by subscribing for $5 per month through Apple's Podcasts app, or via Patreon if you prefer any other podcast player.
Comments
They've been doing that since we messed with theirs.
I hope they were the victim of a covert action team, and they disappear from the face of the earth.
That's the only type of action which would make others think twice about trying something similar, if the home government (Russia) won't take action against criminals operating from within their borders.
These guys are more likely like the VietCong or Taliban: Strike & then fade into the background. Until next time.