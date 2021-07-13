When a ransomware gang goes offline, it raises a lot of questions.

A hacking organization based in Russia that was blamed for a huge ransomware attack went down on Tuesday, prompting speculation that it was the consequence of a government-led intervention.

REvil’s “dark web” domain vanished two weeks after an attack that disrupted the networks of hundreds of companies around the world and sparked a $70 million ransom demand.

“REvil has seemingly vanished from the dark web, as their website has gone offline,” tweeted Allan Liska of Recorded Future, who added that the site has been down since around 0500 GMT.

The report comes after US Vice President Joe Biden issued a warning to his Russian counterpart Vladimir Putin about harboring hackers, while also implying that the US could act in response to rising ransomware attacks.

Analysts have speculated that the US military’s Cyber Command has the capability to strike back at hackers in the event of national security threats in the past, but there has been no official confirmation on this.

In an emailed comment, John Hultquist of Mandiant Threat Intelligence said, “The issue is still evolving, but evidence shows REvil has suffered a planned, synchronized takedown of their infrastructure, either by the operators themselves or by industry or law enforcement action.”

“If this was some kind of disruption operation, the exact specifics may never be revealed.”

Unanswered queries were also raised by Brett Callow of the security firm Emsisoft.

“It’s unclear whether the interruption is the result of law enforcement action,” Callow added.

“While it would obviously be a positive thing if law enforcement was able to impede the gang’s operations, it could cause problems for any companies whose data is now encrypted. They wouldn’t be able to pay REvil for the key that would allow them to decode their data.”

An estimated 1,500 firms were impacted by the unprecedented attack on the US software vendor Kaseya.

The Kaseya attack, which began on July 2 and affected businesses in at least 17 countries, including dozens of New Zealand kindergartens, shut down a major Swedish grocery chain and ricocheted around the world, affecting businesses in at least 17 nations, from pharmacies to gas stations.

rl/dw