author photo
By Bruce Sussman
Tue | Jul 13, 2021 | 2:17 PM PDT

They are the Russian hacking group behind the Kaseya and JBS ransomware attacks, and many more.

And on Tuesday, July 12, 2021, the world learned the REvil websites on the Dark Web were offline.

What we know about REvil websites being down

CNBC covered the news of these REvil sites being offline as breaking news:

"These are sites, maintained by the hacking group, which is linked to Russia in the dark web, they use these sites to communicate with their victims. To publicize some of the material that they've stolen. All of those now are down we are told by two high-ranking cybersecurity officials."

The network shared a screenshot of what you see if you go to the ransomware gang's websites. The message says, "a server with the specified hostname could not be found."


Why are REvil websites offline?

The big question now is why are the REvil websites down? Here are some questions our SecureWorld News editorial team kicked around:

Did the U.S. deliver on promises to retaliate against Russia-linked hacking efforts?

On Friday, President Joe Biden was asked by a member of the media if it would make sense for the U.S. to attack the servers that have hosted ransomware attacks? Biden responded with one word: "Yes."

Also, President Biden spoke to Putin about the Kaseya cyberattack by phone last week. A briefing from a senior administration official following the call dangled this information out to the world:

"President Biden reiterated that the United States will take necessary action to defend its people and its critical infrastructure in the face of this continuing challenge.... And I think the President was asked today if he expected us, the United States, to take action, to follow up. He said, 'Yes.'

We're not going to telegraph what those actions will be precisely. Some of them will be manifest and visible, some of them may not be. But we expect those to take place, you know, in the days and weeks ahead."

Did Putin take action?

Perhaps Putin took action or directed Russian law enforcement to take the sites offline and head off any U.S. actions.

Did REvil go into hiding or "retire"?

A third possibility is that REvil itself is feeling tremendous heat and took its money and ran, trying to lay low while the pressure is on. This is something we've seen hacking groups do in the past, at least on a temporary basis. 

The point of creating a list like this is that right now we simply do not know what happened. 

Jake Williams, Co-Founder and CTO at BreachQuest, agrees.

"At this point, anything around is just speculation. Ransomware gangs operating in Russia were on borrowed time the second Colonial was hit.

The Russian government didn't care about the cybercrime occurring within its borders, but only so long as it didn't impact Russia itself. That has clearly changed—the Russian government can clearly see they are being impacted by the actions of these actors.

Whether REvil was taken out of commission by the Russian government, saw the writing on the wall, and took infrastructure down, is simply rebranding like so many groups have (likely including REvil itself), or something else is unknown at this point."

There is much more to come, we are sure, on this developing story.

Tags: Ransomware,