Hackers used to be called cool things like “DVD Jon.” But the best name the “most aggressive” ransomware group in Russia could come up with was “Ransomware evil,” which they shortened to the more clean and simple: “REvil.”
Anyway, REvil disappeared off the internet around 1 a.m. on July 13 and it’s unclear why. The group kept what they called a “Happy Blog” on the dark web, which is pretty clever because it wasn’t that happy. It was where they maintained a list of their victims, home-made chatrooms for cute things like ransom negotiation, and a kind of hacker EBITDA – records of income from their online extortion plots, including an Independence Day cyber attack and an $11 million deal from JBS, one “America’s largest beef producers.” Now that’s all gone.
The three best guesses for the party responsible for REvil’s disappearance, per the New York Times, are about as imaginative as its name: Biden, Putin, or REvil. Earlier in the week, Biden rang up Putin and asked him to shut down ransomware groups that were targeting Americans. Maybe that did the trick. He seems like a reasonable guy. Alternatively, Biden could have called on the U.S. Cyber Command to shut down REvil’s websites, which seems like something he definitely should have done earlier if that was an option. Possibility three: REvil couldn’t take the heat and got out of the REvil kitchen.
In that case, they could go the route of another ransomware group, DarkSide, which shut down in May, shortly after planning the Colonial Pipeline breach. “Experts think that DarkSide’s going-out-of-business move was nothing but digital theater,” the Times wrote, “and that all of the group’s key ransomware talent will reassemble under a different name.”
The last theory seems compelling. REvil’s website could do what every disappeared blog dreams of: ReBrand.