After creating havoc across the globe in the past several months, the payment site, public site, helpdesk chat, and negotiation portal of the REvil ransomware gang are now offline, according to researchers. Experts believe it could be due to internal disputes or fear of law enforcement action. Or, maybe the group is actually heading toward a shutdown.

What happened?

The sudden takedown of the REvil’s infrastructure appears to be the group’s own conscientious decision. If not that, it can be an outcome of the recent dialogue between the U.S. and the Russian governments, and pressure from law enforcement agencies after the Kaseya attack.
  • The REvil group's infrastructure has always been looking to be more stable and robust than the other ransomware gangs.
  • Other threat actors on Russian-language forums speculated that even if law enforcement agencies have successfully targeted the REvil, this will not be the end of the world for the group.
  • Some threat actors on the forum foretold that the group will make an appearance again in the near future. The group could use another name or split into smaller groups to stay hidden.

Recent closings of other ransomware operations

It’s not the first incident that happened in the past few months where a well-established ransomware group had shut down its operations. There have been multiple ransomware gangs shutting their shops.
  • A month ago, the Avaddon ransomware group had shut down its operations along with sending all 2,934 decryption keys in a Zip file named Decryption Keys Ransomware Avaddon to a news website.
  • In May, the DarkSide ransomware group claimed to shut down its operations after its attack on Colonial Pipeline. This incident made a lot of buzz in global news along with outrage in the U.S.


It is not clear why all of a sudden these websites went offline. If the group has decided to no more engage in encryption-based extortion, the news of shutdown for a prominent gang like REvil is indeed a positive development for the security community. Nevertheless, it will be too early to feel relieved. If the gang happens to sell its attack infrastructure to other cybercrime groups, you may want to stay alert and informed.

Cyware Publisher