Looks like US President Joe Biden’s summit talk with Russian premier Vladimir Putin has had some effect.
On Tuesday, several websites related to the Russian ransomware gang REvil, purportedly the group behind several of the recent ransomware attacks on the US companies, have gone offline. Visitors to the sites were faced with a blank screen with the message “A server with the specified hostname could not be found”.
While the exact reasons for the sudden disappearance are not known, the Biden-Putin conversation may have a role to play, experts feel.
Biden said he raised the issue with his Russian counterpart during a phone call last week. The two leaders had also discussed the subject during a summit in Geneva last month.
Biden had told the media after the phone call last Friday: “I made it very clear to him that the United States expects when a ransomware operation is coming from his soil, even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is.”
When a journalist asked whether the US could attack the servers used by the hackers, the President said: “Yes”.
The disappearance of the public-facing sites of REvil, also known as Sodinokibi, comes on the heels of a recent attack on the Florida-based software provider Kaseya. They took credit of the attack that ultimately affected 1,800 customers, including several in Europe.
REvil is also believed to be the group behind the attack on JBS, the world’s largest meatpacking company, that led to a shutdown in their operations in the United States, Canada and Australia, and led to a payment of $11 million.
In May, a separate group known as DarkSide, launched an attack on Colonial Pipeline, which forced the US company to shut down nearly 5,500 miles of pipeline. It disrupted the oil supply to East Coast and the company had to pay them $4 million in ransom. US officials were able to recover $2.3 million of that amount, which was paid through cryptocurrencies.
John Hultquist of Mandiant Threat Intelligence told CNBC: “The situation is still unfolding, but evidence suggests REvil has suffered a planned, concurrent takedown of their infrastructure, either by the operators themselves or via industry or law enforcement action.
“REvil’s darknet (.onion) and clearnet (decoder.re) websites are offline, and although we have no visibility into exactly how their darknet sites have been taken down, their clearnet site’s domain has simply ceased resolving to an IP address.”
The FBI has repeatedly warned victim companies not to pay the ransom as it encourages further malicious activity.
