Multiple REvil ransomware sites are down on the dark web

Key Points
  • Dark web sites affiliated with the REvil ransomware gang were not operating Tuesday morning.
  • The disappearance of the sites affiliated with the Russian-linked gang REvil, also known as Sodinokibi, comes on the heels of an international ransomware outbreak on July 2 that the group had taken credit for.
  • President Joe Biden recently said it would make sense for the United States to attack computer servers used by ransomware groups.
Ransomware websites operated by REvil are down: Sources
Ransomware websites operated by REvil are down: Sources

Dark web sites linked to the REvil ransomware gang were not operating Tuesday morning, CNBC has confirmed.

It is not clear what led to the websites of the ransomware-as-service group going down Tuesday. Visitors to the sites, which had recently been active, were greeted with messages saying, "A server with the specified hostname could not be found."

The disappearance of the public-facing sites affiliated with Russia-linked REvil, also known as Sodinokibi, comes on the heels of an international ransomware outbreak on July 2 that the group had taken credit for.

A National Security Council official declined to comment to CNBC on Tuesday morning.

On Friday, President Joe Biden was asked by a reporter if it "makes sense" for the United States to attack the computer servers that have hosted ransomware attacks.

"Yes," Biden answered.

A National Security Council official later that same day told reporters that U.S. authorities expected to take action against ransomware groups soon.

"We're not going to telegraph what those actions will be precisely," that official said.

"Some of them will be manifest and visible, some of them may not be. But we expect them to take place in the days and weeks ahead."

John Hultquist of Mandiant Threat Intelligence told CNBC on Tuesday, "The situation is still unfolding, but evidence suggests REvil has suffered a planned, concurrent takedown of their infrastructure, either by the operators themselves or via industry or law enforcement action."

"If this was a disruption operation of some kind, full details may never come to light," Hultquist added in an email.

 He also said an analysis shows that "known websites associated with the REvil ransomware RaaS are offline or non-responsive."

"REvil's darknet (.onion) and clearnet (decoder.re) websites are offline, and although we have no visibility into exactly how their darknet sites have been taken down their clearnet site's domain has simply ceased resolving to an IP address and its dedicated name servers are still online," Hultquist said.

In addition to the July 2 attack, the REvil group also is believed to have recently attacked computers belonging to JBS, forcing the world's largest meatpacking company to shut down operations in the United States for one day in June, and also disrupted operations in Australia.

JBS paid the equivalent of $11 million in ransom to get the gang to undo the attack.

Bleeping Computer's Lawrence Abrams had tweeted earlier Tuesday that REvil sites were down.

Several cybersecurity officials later confirmed that report to CNBC.

Ransomware attacks involve malware that encrypts files on a device or network that results in the system becoming inoperable. Criminals behind these types of cyberattacks typically demand a payment in exchange for the release of data.

The FBI has previously warned victims of ransomware attacks that paying a ransom could encourage further malicious activity.

The latest ransomware attack, disclosed earlier this month by Florida-based software provider Kaseya, spread to at least six European countries and breached the networks of thousands across the United States.

In May, a hacking group known as DarkSide with suspected ties to Russian criminals launched a ransomware attack on Colonial Pipeline, forcing the U.S. company to shut down approximately 5,500 miles of pipeline.

It led to a disruption of nearly half of the East Coast's fuel supply and caused gasoline shortages in the Southeast and airline disruptions. Colonial Pipeline paid $5 million in ransom to the cybercriminals in order to restart operations.

A few weeks after the attack, U.S. law enforcement officials were able to recover $2.3 million in bitcoin from the hacker group.