{
	"id": "09a09e85-cdcf-4db1-9a22-74d66302a55b",
	"created_at": "2026-04-06T00:08:37.171126Z",
	"updated_at": "2026-04-10T13:13:07.421241Z",
	"deleted_at": null,
	"sha1_hash": "7557da85e5b434df276234f385a69e9f731ae5c6",
	"title": "Ransomware Giant REvil’s Sites Disappear",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 87770,
	"plain_text": "Ransomware Giant REvil’s Sites Disappear\r\nBy Lisa Vaas\r\nPublished: 2021-07-13 · Archived: 2026-04-06 00:05:43 UTC\r\nJust days after President Biden demanded that Russian President Putin shut down ransomware groups, the servers\r\nof one of the biggest groups mysteriously went dark.\r\nAll of REvil’s Dark Web sites slipped offline as of early Tuesday morning, and it’s not clear whether it’s due to the\r\nransomware gang getting busted or whether the threat actors did it on purpose.\r\nThe REvil ransomware operation, a.k.a. Sodinokibi, uses both clear web and Dark Web sites to negotiate ransoms,\r\nleak data, support its backend infrastructure and receive payment from its many victimized organizations. That\r\nvictims list has recently grown with the addition of Kaseya and its many managed service provider (MSP)\r\ncustomers, as well as the global meat supplier JBS Foods,\r\nAll of REvil’s sites went offline as of around 1 a.m. It doesn’t mean that the notorious gang has been shut down,\r\nas one cybersecurity expert emphasized – it’s just that all its sites were unreachable, up until at least Tuesday at\r\n2:55 p.m. EDT.\r\n“Onionsite not found” message displaying in place of REvil’s site. Source: BleepingComputer\r\nOne possibility: It could be that the U.S. shut down the servers. Then again, perhaps it was the Russian\r\ngovernment. The timing would make sense, given the White House’s saber-rattling at Russia over the ransomware\r\nplague. The silenced servers come just a few days after President Biden called President Vladimir V. Putin of\r\nRussia and demanded that he shut down ransomware groups attacking American targets.\r\nhttps://threatpost.com/ransomware-revil-sites-disappears/167745/\r\nPage 1 of 4\n\nIf you don’t, we will, Biden said. On Friday, when a pool of reporters asked the president if the U.S. might attack\r\nthe servers that Russia-linked cybercriminals have used to hijack American networks, he said, “Yes.”\r\nRansomware Gangs Are ‘on Borrowed Time’\r\nJake Williams, co-founder and CTO at BreachQuest, told Threatpost that it’s all just speculation at this point, but\r\nransomware gangs operating in Russia “were on borrowed time the second Colonial was hit.” He was referring to\r\nthe ransomware attack on Colonial Pipeline leading up to Memorial Day Weekend: An attack that was attributed\r\nto the ransomware-as-a-service (RaaS) player DarkSide.\r\n“The Russian government didn’t care about the cybercrime occurring within its borders, but only so long as it\r\ndidn’t impact Russia itself,” Williams said in an email. “That has clearly changed – the Russian government can\r\nclearly see they are being impacted by the actions of these actors. Whether REvil was taken out of commission by\r\nthe Russian government, saw the writing on the wall and took infrastructure down, is simply rebranding like so\r\nmany groups have (likely including REvil itself), or something else, is unknown at this point.”\r\nTheories abound. Drew Schmitt, principal threat intelligence analyst for GuidePoint Security, echoed Williams’\r\nassertion that the darkened servers could be attributed to a number of things at this point.\r\n“A lack of DNS response is a potential indicator of law enforcement involvement, but it’s not enough to determine\r\nwhether the threat group changed their URL, is doing maintenance, or something similar,” he told Threatpost on\r\nTuesday via email.\r\n“An unresolved DNS response over a short period of time is not necessarily a strong indicator without correlating\r\nevidence, statements, etc.,” he expounded. “It could be a short outage, however, we would need more time and\r\nevidence to tell what actually may be going on.”\r\nThis isn’t the first time, at any rate: Last week, REvil’s site went down for a short while, according to Schmitt.\r\nIt could be that REvil chose to fade away, or it could be that its servers were seized a la DarkSide. In the DarkSide\r\nserver shutdown, the threat actor posted on an underground forum that it had lost access to the public part of its\r\ninfrastructure: Specifically, the servers for its blog, payment processing and denial-of-service (DoS) operations\r\nhad been seized.\r\nThe Tor Project’s Al Smith told BleepingComputer that the “Onionsite Not Found” message could mean a few\r\nthings: “In simple terms, this error generally means that the onion site is offline or disabled. To know for sure,\r\nyou’d need to contact the onion site administrator,” he was quoted as saying.\r\nThe sites have recently been active. But as of Tuesday afternoon, visitors were being greeted with messages\r\nsaying that “A server with the specified hostname could not be found.”\r\nA ‘Planned’ Takedown\r\nhttps://threatpost.com/ransomware-revil-sites-disappears/167745/\r\nPage 2 of 4\n\nAnother cybersecurity expert, John Hultquist of Mandiant Threat Intelligence, told CNBC that it looks like this\r\nwas an intentional, orderly takedown, though we don’t know yet who’s behind it: “The situation is still unfolding,\r\nbut evidence suggests REvil has suffered a planned, concurrent takedown of their infrastructure, either by the\r\noperators themselves or via industry or law enforcement action,” he said.\r\nREvil’s Usually Up and Humming\r\nAt any rate, the inaccessibility of the REvil ransomware group’s websites is unusual, according to the Photon\r\nresearch team at Digital Shadows. The team told Threatpost that REvil’s infrastructure “has historically been more\r\nstable than that of other ransomware groups.”\r\nThey suggested that the outage could be caused by temporary technical issues or upgrades, or it could signify a\r\nlaw-enforcement disruption of the group’s operations. But they did note that as of Tuesday, REvil’s representatives\r\n“have not appeared on high-profile Russian-language cybercriminal forums for several days.”\r\nThis Is Likely Not REvil’s Last Hurrah\r\nThe Photon team added that, while chatter about the outage is limited due to some Russian-language forums’\r\n“hostile attitude towards discussing ransomware,” some threat actors have speculated that even if law-enforcement\r\nagencies have successfully targeted REvil, it won’t spell the end of the group’s activities. Some threat actors\r\npredicted that the group will reappear under another name or split into smaller groups to attract less attention, the\r\nteam said via email.\r\nMeanwhile, the ripples of ransomware attacks by the likes of REvil can spread for months. That was evidenced by\r\nan attack on the Guess fashion label that compromised the personal and banking data of 1,300 victims. That data\r\nspill came after a February ransomware attack inflicted on Guess and attributed to DarkSide.\r\nGuess has started sending letters to 1,300 employees and contractors who had their personal and banking data\r\nexposed during the breach.\r\nBut Hurray Nonetheless?\r\nRegardless of whether it’s a permanent shutdown or a temporary shut-up, REvil’s darkened servers are cause for\r\ncelebration, some said.\r\nKatie Nickels, director of intelligence for Red Canary, commented on Twitter: “I don’t know what this means, but\r\nregardless, I’m happy! If it’s a government takedown – awesome, they’re taking action. If the actors voluntarily\r\nwent quiet – excellent, maybe they’re scared.”\r\nDoes it matter either way? Nickels thinks not: “It’s still important to remember that this doesn’t solve\r\nransomware.”\r\nCheck out our free upcoming live and on-demand webinar events – unique, dynamic discussions with\r\ncybersecurity experts and the Threatpost community.\r\nhttps://threatpost.com/ransomware-revil-sites-disappears/167745/\r\nPage 3 of 4\n\nSource: https://threatpost.com/ransomware-revil-sites-disappears/167745/\r\nhttps://threatpost.com/ransomware-revil-sites-disappears/167745/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://threatpost.com/ransomware-revil-sites-disappears/167745/"
	],
	"report_names": [
		"167745"
	],
	"threat_actors": [],
	"ts_created_at": 1775434117,
	"ts_updated_at": 1775826787,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7557da85e5b434df276234f385a69e9f731ae5c6.pdf",
		"text": "https://archive.orkl.eu/7557da85e5b434df276234f385a69e9f731ae5c6.txt",
		"img": "https://archive.orkl.eu/7557da85e5b434df276234f385a69e9f731ae5c6.jpg"
	}
}