Brett Callow, who works with the New Zealand-headquartered security outfit Emsisoft, told iTWire: "Everybody knows the forums are monitored, and that includes the crims. The information they post is likely to be complete bollocks intended to mislead anybody who may be trying to work out what they’re actually up to. Law enforcement, for example."
The website Bleeping Computer, which is something of a specialist operation as far as ransomware is concerned, said the shutdown had taken place after someone hijacked the group's Tor payment leak portal and data leak blog on the dark web.
Reporter Lawrence Abrams said a person known as Dmitry Smilyanets, who works for the threat intelligence firm Recorded Future and also writes for The Record, a website belonging to the company, had found a thread claiming to offer the reason for the disappearance of REvil. The CIA's investment arm, In-Q-Tel is an investor in Recorded Future.
REvil quitting again announcement in GIF form pic.twitter.com/E21W3UOuxn— Kevin Beaumont (@GossiTheDog) October 18, 2021
REvil went offline in July for the first time, after the ransomware had been used to attack about 60 managed service providers, using a zero-day flaw in the Kaseya VSA remote management software. Kaseya is a solutions developer for MSPs.
Roughly two months later, REvil came back online. There has been speculation that the dark web operations of REvil disappeared in July due to a technical issue. Once the site came back online, it was taken to mean that the operators had been merely lying low.
Pressure on ransomware gangs has increased after a hit on the Colonial pipeline in the US in May by the DarkSide ransomware gang.
That was ramped up further after the Kaseya incident, with US President Joe Biden raising the issue with his Russian counterpart, Vladimir Putin, during talks.
The US convened an online meeting of some 31 countries recently to discuss steps to prevent ransomware attacks, but for some unknown reason did not invite either Russia or China.
Many ransomware gangs are based in Russia, but appear to be free to operate provided they do not attack sites within the country.
Callow said he had no clue as to what had happened to take the REvil site offline again. "They could've been taken down as part of an effort by law enforcement, or Team REvil could be pulling a disappearing act in an attempt to scam their partners in crime, or it could be something else entirely," he said.
"What I do know, however, is that comments made in forums by individuals purporting to be members of cyber crime operations should be viewed with extreme scepticism."
REvil has been one of the most prolific ransomware groups since the time when this genre of malware became the top issue affecting network security at companies running Windows.