Laying low, taken down, or self-dismantling due to reasons unknown? Which group will take its place soon?

After the massive ransomware attack on Kaseya recently, the REvil group has gone silent this week. Security researchers have been reporting that REvil’s websites have been down, including their public site, negotiation portal, ‘helpdesk’ chat function, and even their payment site.

Just a quick refresher: the group has been implicated in the JBS Foods ransomware affair in May; the April attack on Quanta, a manufacturer of Apple products; a little-publicized attack on a US nuclear weapons subcontractor in June; and most recently the Kaseya incident.

Was President Biden’s strong message to President Putin a catalyst for REvil’s latest move? Was some large-scale witch hunt by the new National Cyber Director Chris Inglis the cause of the group’s abrupt and unceremonious quiescence?

There have been many speculations about this recent development. Some think that they have been taken down by the authorities; other security experts feel that the group may have taken their websites offline to lay low for a bit.

Gary Gardiner, Head of Security Engineering (APAC & Japan), Check Point Software Technologies, offered his take: “One possibility is a silent takedown, similar to what happened in the DarkSide situation, where hackers were silently taken offline by the feds. Though it might be too early to celebrate, because another viable possibility is that the ransomware gang has decided to lay low, given all the attention and spotlight they’ve undergone recently from the Kaseya, Colonial Pipeline and JBS attacks. It’s also possible that REvil group has gone into ‘retirement’, or at least a temporary one, as they did with the GandCrab ransomware a few years ago. We recommend not jumping to any immediate conclusions as it’s early, but REvil is, indeed, one of the most ruthless and creative ransomware gangs we’ve ever seen.”