In brief

  • REvil, the Russian ransomware group behind recent high-profile attacks, has disappeared from the dark web.
  • The move comes after President Biden’s Friday ultimatum to Russian President Vladimir Putin about acting on ransomware groups in his country.

Just days after United States President Joe Biden issued an ultimatum to Russian President Vladimir Putin to combat ransomware attacks hailing from his country, the notorious REvil hacking group has suddenly gone offline.

Ransomware is a type of cyberattack in which hackers remotely take control of computers, locking access and sometimes files while demanding a ransom to free their devices. Typically, the ransom is requested in Bitcoin or another cryptocurrency, which can be difficult to track. Hackers have reportedly pulled in some $33 million worth of Bitcoin so far this year.

REvil led a recent wave of attacks against United States companies, last week demanding a $70 million ransom in Bitcoin after locking the computers of more than 200 companies linked to IT firm Kaseya. The Russian group claimed that more than a million systems were affected in the attack. Back in May, the group attacked American meatpacker JBS and was paid an $11 million Bitcoin ransom to free its systems.

The New York Times reports that REvil’s sites on the dark web mysteriously "disappeared" overnight, leaving no immediate trace of who was responsible for the disappearance.

One theory is that Biden instructed the United States Cyber Command to cripple and take down the group’s sites, fearing potential further ransomware attacks ahead. Another theory, according to the Times, is that Putin acted on the ultimatum after signaling that he was open to such cooperation during a June meeting in Geneva.

The last theory, however, is that the group simply pulled its own sites offline following growing international pressure. That’s what experts believed happened with Darkside, the group that facilitated May’s Colonial Pipeline attack (US authorities recovered much of that ransom). Darkside’s move was considered to be “digital theatre,” the Times suggests, and that such hackers may ultimately reform and resume their attacks under a different name.

Amidst the growing wave of ransomware attacks against American companies, Biden’s administration has moved to classify such attacks as a threat to national security—particularly as they has affected key infrastructure firms, such as with Colonial Pipeline.

Biden told Putin on Friday that the United States would take “any necessary action” to combat ransomware attacks, and he “expected [Russia] to act” on information about hacking groups when provided actionable information—even though REvil was not a state-sponsored operation.