Just days after President Biden called President Vladimir V. Putin of Russia and demanded that he take action to shut down ransomware groups that are attacking US targets, the most aggressive of them all. suddenly went into action early Tuesday morning, ending negotiations over ransom payments even bringing down the page where it brags about its most successful extortion schemes.
The mystery is who made that happen.
A group called REvil, which stands for “Ransomware evil,” has been identified by US intelligence agencies as responsible for the attack that brought down one of America’s largest beef producers, JBS. Two weeks after Mr. Biden and Mr. Putin met in Geneva last month, REvil got a notary of a hack that affected thousands of businesses around the world over the July 4 holiday.
That latest attack led to Mr Biden issuing an ultimatum in a Friday phone call with the Russian president. Biden then said “we expect them to act,” and when asked later by a reporter if he would take down the group’s server if Putin didn’t, the president simply said: “Yes.”
He could have done exactly that. But that’s only one possible explanation for what happened around 1 a.m. Eastern time on Tuesday, when the dark web’s sites suddenly disappeared. Gone are the public “happy blogs” that the group maintained, listing the victims, and internet security groups said custom websites where victims negotiated with REvil about how much they would pay to get unlocked. Their data is also missing.
While their disappearance is celebrated by many who see ransomware as a new scourge, one that Mr. Biden called a significant national security threat, it falsifies some of the group’s goals. – cannot pay the ransom to get their data back and their business back up and running.
“What’s the plan for the victims?” asked Kurtis Minder, chief executive officer of Groupsense, a digital risk protection firm that is negotiating with blackmailers on behalf of a regional law firm whose data was stolen.
There are three main theories surrounding why REvil, which seemed to be a hit with the public and racked up a huge ransom — including $11 million from JBS — suddenly disappeared.
One is that Mr. Biden ordered the US Cyber Command, in coordination with domestic law enforcement agencies, including the FBI, to take down the group’s websites. Last year, Cyber Command proved it could do it, crippling a group of ransomware it feared could turn its skills to freeze voter registration or other election data. in the 2020 election.
The second theory is that Putin ordered the group’s websites to be taken down. If so, it would be a gesture towards heeding Mr. Biden’s warning, which he issued, more generally, when the two leaders meet on June 16 in Geneva.
And a third is that REvil decided that the heat was too intense, and lowered the locations themselves to avoid falling into a confrontation between the US President and Russia. That’s what another Russia-based group, Darkside, did after a ransomware attack on Colonial Pipeline, the American company that had to shut down gasoline and jet fuel systems running on the East Coast back may.
But many experts say that stepping out of Darkside’s business is a digital theater, and that all of the ransomware’s key talent will come together under a different name. If so, the same can happen with REvil.
Just a few months ago, ransomware was considered a crime problem. But after the attack on the Colonial Pipeline, Mr. Biden and his advisers began to claim that attacks that threaten critical infrastructure constitute a major national security threat.