Websites on the dark web used by a criminal hacking group believed to be behind the recent massive ransomware attack on software company Kaseya went offline Tuesday.
The hacking group, REvil, is believed to be based in Russia, and has been linked by the FBI to the ransomware attack in May on JBS USA, the nation’s largest beef producer. The more recent attack on Kaseya impacted up to 1,500 companies, many of them small businesses.
According to The New York Times, the websites on the dark web used by REvil to negotiate payment with victims and lists of companies it had targeted went dark early on Tuesday morning.
John Hultquist, the vice president of Analysis at cybersecurity group FireEye’s Mandiant Threat Intelligence, confirmed the takedown, saying in a statement provided to The Hill Tuesday that “at the time of analysis all known websites associated with the REvil ransomware RaaS are offline or non-responsive.”
“REvil's darknet (.onion) and clearnet (decoder.re) websites are offline, and although we have no visibility into exactly how their darknet sites have been taken down their clearnet site's domain has simply ceased resolving to an IP address and its dedicated name servers are still online,” Hultquist said.
The White House has so far not commented on the takedown of the websites.
Deputy press secretary Karine Jean-PierreKarine Jean-PierreBiden sends 'best wishes' to Clinton following hospitalization The Hill's 12:30 Report - Presented by The Conference of Presidents of Major Italian American Organizations - US opens to vaccinated visitors as FDA panel discusses boosters Biden intends to sign short-term bill raising debt ceiling MORE told reporters aboard Air Force One on Tuesday “I don’t have anything further to share on that," when asked about the incident.
The Hill has reached out to the FBI for comment, and the Cybersecurity and Infrastructure Security Agency (CISA) declined to comment on the takedowns.
It is unclear what caused the hacking group to go dark.
The developments come less than a week after President BidenJoe BidenManchin lays down demands for child tax credit: report Abrams targets Black churchgoers during campaign stops for McAuliffe in Virginia Pentagon, State Department square off on Afghanistan accountability MORE called Russian President Vladimir PutinVladimir Vladimirovich PutinEquilibrium/Sustainability — Presented by Altria — Hot mic catches Queen criticizing 'irritating' climate inaction Putin directs sexist remark at US anchor Navalny, Afghan women among those under consideration for EU human rights prize MORE and strongly urged him to take further action against ransomware groups based in Russia.
“I made it very clear to him that the United States expects when a ransomware operation is coming from his soil, even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is,” Biden told reporters when asked about the phone call on Friday.
Biden was later asked on Friday if it made sense for the U.S. to attack the servers used by the attackers, and Biden responded, "yes."
Biden and Putin also discussed these concerns during their summit in Geneva, Switzerland, last month, and Biden handed Putin a list of 16 critical U.S. entities that Russia should not attack, warning that the U.S. was prepared to take action against Russia if malicious actions in cyberspace continued.
This is not the first time in recent months a cyber criminal group has gone dark.
The DarkSide hacking group, also believed to be based in Russia, shut down its operations after the FBI linked the group to the ransomware attack on Colonial Pipeline in May that caused gas shortages in several states.
The Justice Department was also able to recover over half the $4.4 million in Bitcoin that Colonial paid DarkSide to regain access to its networks.
Hultquist stressed that many details may not ever come to light if a government was behind the takedown of the websites.
“The situation is still unfolding, but evidence suggests REvil has suffered a planned, concurrent takedown of their infrastructure, either by the operators themselves or via industry or law enforcement action,” Hultquist said. “If this was a disruption operation of some kind, full details may never come to light.”
Officials at Check Point Research, which has tracked around 15 ransomware attacks per week linked to REvil over the past 15 months, were also closely monitoring the website takedowns on Tuesday.
“One possibility is a silent takedown, similar to what happened in the DarkSide situation, where hackers were silently taken offline by the feds,” Check Point spokesperson Ekram Ahmed said in a statement provided to The Hill.
“Though it might be too early to celebrate, as another viable possibility is that the ransomware gang has decided to lay low, given all the attention and spotlight they’ve underwent recently from the Kaseya, Colonial Pipeline and JBS attacks.”
“We recommend not jumping to any immediate conclusions as it’s early, but REvil is, indeed, one of the most ruthless and creative ransomware gangs we’ve ever seen,” he stressed.