“All REvil sites are down, including the payment sites and data leak site,” tweeted Lawrence Abrams, creator of the information security blog BleepingComputer. “The public ransomware gang represenative [sic]Unknown, is strangely quiet.”
Ransomware works by locking down a computer network, stealing and encrypting data until victims agree to pay a fee.
Those who refuse can find their information leaked online. In recent years, ransomware gangs have gone after hospitals, universities, police departments, city governments, and a wide range of other targets.
A source familiar told CNN the House Intelligence Committee has not been briefed on what caused REvil to go dark. An aid with the Senate Intelligence Committee said “no comment” when asked if that committee had been briefed on the situation.
REvil has obtained $11 million from victims in the course of its operation, according to the cryptocurrency payments tracker Ransomwhere.
The group’s sudden disappearance has prompted widespread speculation about what may have occurred. Theories range from planned system downtime to a coordinated governmental strike. But at this stage, experts are still guessing. The FBI and US Cyber Command declined to comment on whether they may have been involved.
“This outage could be criminal maintenance, planned retirement, or, more likely, the result of an offensive response to the criminal enterprise — we don’t know,” said Steve Moore, chief security strategist at the cybersecurity firm Exabeam.
Dmitri Alperovitch, chairman of the think tank Silverado Policy Accelerator and co-founder of the cybersecurity firm CrowdStrike, hypothesized that Western governments may be pressuring internet infrastructure companies not to complete web browser requests for REvil’s sites. (Alperovitch no longer works at CrowdStrike.)
Drew Schmitt, principal threat intelligence analyst at GuidePoint Security, cautioned that while an inability to connect to REvil’s sites may be enforcement a potential indicator of law involvement, it doesn’t prove it conclusively.
“Last week REvil’s site was down for a bit as well,” he said in a statement to CNN.
REvil is among the most prolific ransomware attackers, according to the cybersecurity firm CheckPoint. In the last two months alone, REvil conducted 15 attacks per week, CheckPoint spokesman Ekram Ahmed said.
Given the attention it has generated, REvil may have voluntarily chosen to lay low for a while, Ahmed added. “We recommend not jumping to any immediate conclusions as it’s early, but REvil is, indeed, one of the most ruthless and creative ransomware gangs we’ve ever seen.”
Anne Neuberger, the top White House cyber official, was traveling with Biden on Tuesday, though her reasons for accompanying the president to Philadelphia were not clear. A White House spokesperson didn’t immediately respond to a request for comment.