Suddenly the Russian hacking group REvil disappeared from the face of the earth, but why?

Russian ransomware group REvil appears to have overplayed its part. Earlier this month, the gang was hit hard, but suddenly all traces are gone.

Both sites are on darknet (hard-to-reach part of the internet, editor) As REvil’s regular public internet sites are out of reach since Tuesday. The group, via its “happy blog”, followed up on its successes, including its victims and payouts. The entire technical infrastructure of the group has also been dismantled.

REvil (short for (Ransomware Evil)) has been around for a while, but it’s been in the news recently. First with the attack on the JBS meat processor and earlier this month by hacking thousands of companies around the world. This happened by distributing ransomware via an undetected vulnerability in software company Kaseya, which is used by ICT service providers to help remote customers.

With the advanced hack of Kaseya, the ransomware ended up in all those other companies. JBS ended up paying millions in ransom to regain access to his data. The criminals initially demanded $70 million to release the systems of thousands of other companies in one fell swoop.


Like many other groups, REvil operates on a profitable business model known as Ransomware as a Service (RaaS). REvil provides advanced hacking tools and offers them, including the service, on the dark web to other groups. It is difficult to determine who actually carried out the attack. REvil gets a percentage of the ransom that companies pay to get back into their systems.

There are many theories as to what’s going on with REvil now. It is possible that after US President Joe Biden’s threatening language last week, the Russian authorities did indeed intervene. That would be surprising and fast and also not in line with the lax attitude that Russia has taken for years when it comes to fighting cybercriminals on its territory.


Another possibility is that the group’s infrastructure has been destroyed by American services. That doesn’t seem likely either. After all, many American companies have been affected by the Kaseya hack that encrypts their systems. The keys to unlocking these systems lie in the REvil infrastructure. If US services sabotage it, the chance of affected Western companies returning to their data is significantly reduced.

Also, REvil may have suddenly withdrawn and destroyed all traces of it. Ransomware groups sometimes do this to reduce the chance of detection. They disappear from the face of the earth and merge into other or new groups. This makes it difficult for investigation services. Some can also escape with loot and say goodbye to the criminal circle forever.

red button

This theory is supported somewhat by the fact that REvil users have been banned from the well-known cybercrime forum on the dark web, says digital expert Frank Groenewegen of Deloitte. “These forums often act as a kind of confidant and cache bitcoins in a safe place so that the parties working with REvil know they are always getting paid.” Therefore, this forum acts as a kind of notary.

But Groenewegen considers a different, more likely scenario. “It is also possible that Revell saw traces of an American intrusion and pressed the red button in a panic.” In this scenario, US law enforcement agencies would have been looking for identifiable clues and traces, which REvil noted. “If that had worked, REvil would have gone out. They might have removed everything about it.” It will anyway explain why the entire infrastructure disappeared in one fell swoop.

See also  What effect does this have on the French cash register?

Megan Vasquez

"Creator. Coffee buff. Internet lover. Organizer. Pop culture geek. Tv fan. Proud foodaholic."

Leave a Reply

Your email address will not be published. Required fields are marked *