The websites managed by the ransomware REvil team have been down since yesterday.
The REvil ransomware group, also known as Sodinokibi, has several websites, both for regular www network, as well as Tor, used as ransom trading sites, ransomware data leakage sites, and backend infrastructure. Since yesterday they are all down without any warning.
Those who visit well-known sites, such as decoder [.] re they see a message telling them that the server cannot be found. It is not clear what led to the collapse of all these pages linked to the Russian group REvil but suspicions fall on the early USA.
On Friday, President Joe Biden was asked by a reporter if it "makes sense" for the United States to attack computer servers that have hosted ransomware attacks and the chairman replied in the affirmative.
In addition, a US National Security Council official told reporters the same day that US authorities were expected to take action against ransomware groups soon.
So far, however, it is unclear whether the shutdown of REvil's servers is for technical reasons, or if the gang has ceased operations, or if any law enforcement operations have been carried out by the Russia or the US.
The bottom line is, however, that the US in concert with Russia began to pressure these types of illegal groups to expose them. Corresponding ransomware groups, such as DarkSide and Babuk, have voluntarily shut down their websites due to increased pressurefrom law enforcement.
However, when an ransomware group is terminated, their operators and associates usually rename the group and continue to operate it as a new business carrying out ransomware attacks. This has been observed in the past, when GandCrab closed and many of its members resumed as REvil. The Babuk team was also restarted as Babuk v2.0.
