The hacking crew behind damaging attacks on meat supplier JBS and customers of tech provider Kaseya has disappeared from the internet.
The so-called REvil group’s dark web site, dubbed the “Happy Blog,” has been down since early this morning. Repeated attempts by Forbes to access the page today have failed with a notice saying: “The most likely cause is that the onionsite is offline.” REvil’s other pages, including its ransom payment page, are also currently inaccessible, and its representatives have been quiet on hacking forums since late last week, according to numerous cybersecurity researchers.
There’s no information as to why REvil, believed to be operating out of Russia, may have disappeared. It could be due to law enforcement action, though no agency has yet claimed success in taking the group down. (The FBI declined to comment.) Last month, President Biden and Russian leader Vladimir Putin discussed cybersecurity issues, including the potential for the Kremlin to be more supportive of efforts to counter cybercriminals launching devastating attacks on U.S. businesses.
REvil may also have bailed due to the attention from its recent attacks. Or its sites may have simply gone down because of a technical issue. As Brett Callow, a ransomware tracker at cybersecurity firm Emsisoft, notes, the Happy Blog has gone down before and come back up, making it “too early to read anything into this.”
In a similar recent case, the DarkSide ransomware hackers disappeared from the web not long after its malware was used in the huge hack of Colonial Pipeline, which led to the shutdown of gas lines across the east coast of the U.S. In that case, some of the funds handed over in the $4 million ransom, paid in Bitcoin, were recovered by the Justice Department.
Outside of the hack of JBS, which led to an $11 million payment, REvil claimed a big scalp in an attack that exploited an unpatched “zero-day” vulnerability in tech made by Kaseya. By targeting that one tool, it managed to hack into many Kaseya customers, locking up files at as many as 1,500 separate businesses. Its ransom demand for that attack, and the release of the key to unlock files at all affected companies, was as high as $70 million, though it went down to $50 million. It’s unclear if any payment was made.
In recent months, REvil also claimed hacks of renewable energy supplier Invenergy, PC maker Acer and Apple supplier Quanta Computer. According to data from cybersecurity firm Check Point, it saw 15 attacks carried out by REvil per week over the last two months.