Days After a Threat From Biden, a Major Ransomware Group Goes Dark

The US recently suggested it would step up undercover attacks on Russian cyber criminals.

Hollandse-Hoogte/Zuma

Fight disinformation: Sign up for the free Mother Jones Daily newsletter and follow the news that matters.

A prolific ransomware group that was behind some of the year’s most prominent online attacks has gone dark—at least for now.

Websites used by REvil, whose software is thought to have been used to target meatpacker JBS in late May, and, more recently, software company Kaseya, were unaccessible on Tuesday, according to multiple information security researchers.

Given that President Joe Biden warned Russian President Vladimir Putin in a phone call just last week that the US might take action against ransomware groups operating from Russia if the Russian government didn’t, speculation quickly turned to some sort of American plot. Shortly after the presidents’ conversation, a Biden administration official told reporters that such actions were imminent, warning, according to the New York Times, that while some aspects of the response would “be manifest and visible…some of them may not be. But we expect that those take place in the days and weeks ahead.” 

REvil has long been thought to be run out of Russia, targeting a range of large, small, prominent, and obscure entities. The outfit provides ransomware software to affiliates, splitting any eventual payout. In the JBS case, they reportedly netted $11 million. The attack on Kaseya, which emerged as the US headed into the July 4 weekend, affected thousands of companies in 17 countries that use its IT infrastructure services.

Allan Liska, a ransomware expert at cybersecurity firm Recorded Future, told Bloomberg that the group’s extortion page—where companies’ data was posted as proof—was unavailable on Tuesday, as were the group’s payment portals and chat functions.

Brett Callow, a ransomware expert with cybersecurity firm Emsisoft, told Mother Jones Tuesday morning that, despite the administration’s threats, it was “far too early to read anything into this,” explaining that site has a history of outages. “This could be a temporary outage due to infrastructure upgrades or a disruption by law enforcement or REvil pulling the plug to sail off into the sunset,” Callow cautioned. Other researchers echoed the sentiment.

The FBI and US Cyber Command declined requests for comment.

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate