In what may be a repeat of the United States’ response to the Colonial Pipeline hack, where the websites of the hackers responsible were taken down and their bitcoins wallets seized, the websites of the ransomware gang “REvil” went offline on Tuesday a week after an audacious ransomware attack infected over a thousand US companies.
The “onion” websites on the TOR network that were linked to “REvil” (also known as Sodinokibi) were showing as offline, VICE reported on Tuesday. Lawrence Abrams, owner of BleepinComputer, said the outage was seen on all REvil sites including their payment and data leak portals. He added that the ransomware gangs’ representative, “Unknown”, had been “strangely quiet”.
REvil is believed to be linked to Russia and is believed to be responsible for up to 42 per cent of ransomware attacks, according to threat intelligence firm Recorded Future.
REvil’s ransomware had a week prior struck over 1,000 US companies by targeting the Kasaya cloud-based MSP platform. US President Joe Biden has been facing increasing domestic pressure to play hardball with Russia on the issue of hacks on US infrastructure, and in his first face-to-face meeting with Russian President Vladimir Putin, he emphasised the need for the cyberattacks to stop.
Biden on July 9 warned Putin in a phone call to rein in the ransomware groups targeting the US, wuth US officials saying these attacks would not be treated as criminal acts but as national security threats—invoking a more severe response. “I made it very clear to [Putin] that the United States expects, when a ransomware operation is coming from his soil, even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is,” Biden told reporters.
Wire agencies reported that Biden said “yes” in response to a question whether the US would target the servers that the Russian cybercriminals used.
However, the effect of such an attack remains to be determined. Cryptocurrencies received by such groups in the form of ransoms can be easily transferred to untraceable accounts. However, in the case of the Colonial Pipeline hack, the US was able to access the crypto-wallet used to store the ransom, after it somehow got access to the account's “private key”, recapturing $2.3 million of the $4.4 million received in bitcoin as a ransom. The group in that incident was DarkSide, which has also been accused of being linked to Russia.
Russia has denied links to the groups that are attacking the US, and has instead asked the US to focus on its own groups targeting Russia and get "its own house in order".