Washington: A Russian hacker group blamed for a large-scale ransomware attack went offline on Tuesday, sparking speculation about whether the move was the result of a government-led operation.
The “dark web” page of the organization called REvil disappeared about two weeks after the attack disrupted the networks of hundreds of companies around the world and triggered a ransom demand of $70 million.
Allan Liska, a security researcher at Recorded Future, wrote on Twitter: “REvil seems to have disappeared from the dark web because its website is offline.” He pointed out that the website has not responded since about 0500 GMT.
The news was released after U.S. President Joe Biden reiterated to Russian President Vladimir Putin late last week his warning about harbouring cybercriminals, while hinting that Washington could take advantage of the increasing number of ransomware attacks. Take action.
In the past, analysts said that the US military’s Cyber Command has the ability to counter hackers in the face of national security threats, but there is no official information on such actions.
Mandiant Threat Intelligence’s John Hultquist said in an email statement: “The situation is still evolving, but there is evidence that REvil has suffered planned and concurrent infrastructure demolition, whether by the operators themselves or through industry or law enforcement actions. .”
“If this is a certain type of interrupt operation, the complete details may never be exposed.”
Brett Callow of the security company Emsisoft also pointed out unresolved issues.
“Whether the outage is the result of action taken by law enforcement is unclear,” Callow said.
“If law enforcement has managed to disrupt the gang’s operations, that would obviously be a good thing, but could create problems for any companies whose data is currently encrypted. They’d not have the option of paying REvil for the key needed to decrypt their data.”
James Lewis, head of technology and public policy at the Washington-based Center for Strategic & International Studies, said the site may be down for a number of reasons including pressure from Russian authorities.
“I don’t think it was us,” he said.
Liska noted that the site’s ownership had not been changed, making a domain seizure less likely. “This could suggest these are self-directed takedowns (too early to tell),” he said.
The unprecedented attack targeting the US software firm Kaseya affected an estimated 1,500 businesses.
The Kaseya attack, which was reported July 2, shut down a major Swedish supermarket chain and ricocheted around the world, impacting businesses in at least 17 countries, from pharmacies to gas stations, as well as dozens of New Zealand kindergartens.