REvil Ransomware Servers Go Dark Suggesting Possible Law Enforcement Takedown

REvil (Sodinokibi), one of the most prolific ransomware-as-a-service operations, had its servers shut down suddenly early on Tuesday morning.

The REvil gang has been behind some of the most serious ransomware attacks over the past few years, including the recent supply chain attack on the IT management and monitoring software provider Kaseya and the attack on JBS Foods in the United States.

The ransomware gang, which is believed to operate out of Russia, is known for conducting attacks on large enterprise targets, stealing data prior to file exfiltration, and publishing stolen data on its internet and dark web sites to pressure victims into paying the ransom. At around 1 a.m. on Tuesday, all of the REvil sites suddenly went offline. The reason for the shutdown has yet to be confirmed.

At the Geneva summit in June, President Biden spoke with Vladamir Putin about cyberattacks by threat actors based in Russia, in particular the current ransomware plague. Following on that meeting, Biden called Putin and demanded action be taken to shut down ransomware groups operating out of Russia. Bident told reporters in the United States following on from that call that if Russia failed to take action and shut down the servers used by the ransomware gangs, the United States will.

The timing of the shutdown could just also be coincidence. Ransomware gangs have been known to temporarily shut down their servers for a variety of reasons, but the pressure being put on the operation could have been enough for the gang to decide to lie low for a while.

The former is certainly possible. Russia has allowed ransomware groups to operate within its borders and has turned a blind eye to the activity as it does not affect Russia itself. RaaS operations with links to Russia do not attack Russian targets. If a device is infected that is based in Russia, the ransomware will exit, and no file encryption will occur.

Russia is now starting to be affected by these attacks following the United States crackdown on ransomware operations in the wake of the attack on the critical infrastructure firm Colonial Pipeline in May by the DarkSide ransomware gang. That attack resulted in the shutdown of the fuel pipeline serving the Eastern Seaboard for around a week. There was also an attack by the REvil ransomware gang on JBS Foods, which runs meat processing plants in the United States, that threatened food supplies.

Following on from the attack, the DarkSide ransomware gang lost access to part of its infrastructure when it was seized by law enforcement, including servers used for its blog and payment processing. It is possible that part of REvil’s infrastructure was also seized by law enforcement.

One individual claiming to be an REvil affiliate told the BBC that U.S. law enforcement took down certain elements of its infrastructure and the REvil ransomware gang decided to pull the plug.  He also said the gang was being put under pressure from the Kremlin, stating “Russia is tired of the US and other countries crying to them.”

While the shutdown could spell the end of the REvil operation, that does not mean that the attacks will stop. It is common for ransomware gangs to suddenly shut down their operations and rebrand. The REvil ransomware gang is certainly no stranger to rebranding and has done so in the past. Also, the affiliates that have been conducting attacks for the gang are likely to simply switch to a different RaaS.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of