Russia’s most aggressive ransomware group disappeared. It’s unclear who made that happen.

by By David E. Sanger | Jul 13, 2021 | National Security

Just days after President Biden demanded that President Vladimir V. Putin of Russia shut down ransomware groups attacking American targets, the most aggressive of the groups suddenly went off-line early Tuesday.

The mystery is who made it happen.

The group, called REvil, short for “Ransomware evil,” has been identified by U.S. intelligence agencies as responsible for the attack on one of America’s largest beef producers, JBS. Two weeks after Mr. Biden and Mr. Putin met in Geneva last month, REvil took credit for a hack that affected thousands of businesses around the world over the July 4 holiday.

That latest attack led to Mr. Biden’s ultimatum in a phone call on Friday to the Russian president. Later, Mr. Biden said that “we expect them to act,” and when asked by a reporter later if he would take down the group’s servers if Mr. Putin did not, the president simply said, “Yes.”

He may have done exactly that.

But that is only one possible explanation for what happened around 1 a.m. Eastern time on Tuesday, when the group’s sites on the dark web suddenly disappeared.

Gone was the publicly available “happy blog” the group maintained, listing some of its victims and the group’s earnings from its digital extortion schemes. Internet security groups said the custom-made sites — think of them as virtual conference rooms — where victims negotiated with REvil over how much ransom they would pay to get their data unlocked also disappeared. So did the infrastructure for making payments.

While the disappearance of the hackers’ online presence was celebrated by many who see ransomware as a new scourge — one Mr. Biden has called a critical national security threat — it left some of the group’s targets in the lurch, unable to pay the ransom to get their data back and get their businesses running again.

Share This

Share this post with your friends!