Multiple dark sites of REvil ransom group shut down after Biden warning

Russian-linked ransomware group REvil appears to have disappeared from the dark web, where it had several pages documenting its activities, including one called "Happy Blogger," which are currently inaccessible.

Both REvil's dark web (.onion) and clearnet(decoder.re) sites are offline, although we do not know exactly how their sites were taken down. The domain names of their explicit sites have only stopped resolving IP addresses, but their dedicated servers are still online.

It is not yet known if the sites were temporarily shut down or if the organization - or law enforcement - took their sites offline.

Allan Liska, a senior threat analyst at cybersecurity firm Recorded Future Inc. said in a text message, "It's too early to draw any conclusions, but I've never seen all of their infrastructure shut down like this." I can't find any of their sites on the dark web, their ransom pages are gone, all their payment portals are offline, and so is their chat function." The sites went offline around 1 a.m. Eastern time, Liska said.

The sudden outage comes days after President Joe Biden said he pressed Russian President Vladimir Putin to take action against the Russian hackers blamed for the recent ransomware attack.

Biden told reporters, "I made it very clear to him that the United States expects him to act when a ransomware operation comes from his soil, even if it's not state-sponsored. "

Representatives from the FBI, the Cybersecurity and Infrastructure Security Agency and the White House did not immediately respond to requests for comment. Kremlin spokesman Dmitry Peskov declined to comment, saying he was unaware of the network outage.

On Monday, Peskov said Russia was waiting for the U.S. to provide detailed information about the alleged cyberattack carried out from Russian territory." He said, "You say that hackers attacked some companies in the United States from Russian territory, but at least you need to give some information on what the basis for these conclusions is. The White House has said it has shared information about the criminal hacks with the Russian government.

Cybersecurity firms and the U.S. government suspect REvil, which is alleged to be behind the attack on giant meat supplier JBS SA, which eventually paid an $11 million ransom to the group, of operating inside Russia.

More recently, the group began a massive ransomware attack that affected hundreds of companies around the world. The hackers targeted software company Kaseya Ltd. and its customers.

The Biden administration has made combating the criminal hacking group a top national security priority amid a dramatic increase in ransomware attacks. DarkSide, the suspected Russian group accused of the ransomware attack on Colonial Pipeline Co., shut down its dark web page afterward. According to cybersecurity experts, it is unclear whether the group has actually retreated or rebranded under a new name.