[BreachExchange] REvil ransomware gang's web sites mysteriously shut down

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Tue Jul 13 11:30:16 EDT 2021


https://www.bleepingcomputer.com/news/security/revil-ransomware-gangs-web-sites-mysteriously-shut-down/

The infrastructure and websites for the REvil ransomware operation have
mysteriously gone offline as of last night.

The REvil ransomware operation, aka Sodinokibi, operates through numerous
clear web and dark web sites used as ransom negotiation sites, ransomware
data leak sites, and backend infrastructure.

Starting last night, the websites and infrastructure used by the REvil
ransomware operation have mysteriously shut down.

While it is not unheard of for REvil sites to lose connectivity for some
time, all sites to shut down simultaneously is unusual.

Furthermore, the decoder[.]re clear website is no longer resolvable by DNS
queries, possibly indicating the DNS records for the domain have been
pulled or that backend DNS infrastructure has been shut down.

On July 2nd, the REvil ransomware gang encrypted approximately 60 managed
service providers (MSPs) and over 1,500 individual businesses using a
zero-day vulnerability in the Kaseya VSA remote management software.

Since then, the ransomware group has been under increased scrutiny by law
enforcement.

As these ransomware gangs commonly operate out of Russia, President Biden
has been in talks with President Putin about the attacks and warned that if
Russia did not act upon threat actors in their borders, the USA would take
action themselves.

"I made it very clear to him that the United States expects when a
ransomware operation is coming from his soil even though it's not sponsored
by the state, we expect them to act if we give them enough information to
act on who that is," Biden said after signing an executive order at the
White House.

At this point, it is not clear if the shut down of these servers is simply
a technical issue, if the gang shut down their operation, or if a law
enforcement operation took place.

Other ransomware groups, such as DarkSide and Babuk, shut down voluntarily
due to the increased pressure by law enforcement. However, these threat
actors commonly rebrand as a new group to continue performing ransomware
attacks.

BleepingComputer has contacted the FBI with questions about possible law
enforcement action but has not heard back at this time.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210713/3d3e3617/attachment.html>


More information about the BreachExchange mailing list