The websites managed by the ransomware REvil team have been down since yesterday.
The REvil ransomware group, also known as Sodinokibi, has several websites, both for the regular www network and the Tor, used as ransom trading sites, ransomware data leak sites, and backend infrastructure. As of yesterday, they are all out of order without any warning.
Those who visit well-known sites, such as decoder [.] re see a message telling them that the server could not be found. It is not clear what led to the collapse of all these pages linked to the Russian group REvil, but suspicions fall on the US authorities.
On Friday, President Joe Biden was asked by a reporter if it "makes sense" for the United States to attack computer servers that have hosted ransomware attacks and the chairman replied in the affirmative.
In addition, a US National Security Council official told reporters the same day that US authorities were expected to take action against ransomware groups soon.
It is unknown at this time what he will do after leaving the post.
The point, however, is that the United States, in consultation with Russia, has begun to press such illegal groups to expose them. Respective ransomware groups, such as DarkSide and Babuk, have voluntarily shut down their websites due to increased pressure from law enforcement.
However, when an ransomware group is terminated, their operators and associates usually rename the group and continue to operate it as a new business carrying out ransomware attacks. This has been observed in the past, when GandCrab closed and many of its members resumed as REvil. The Babuk team was also restarted as Babuk v2.0.