The second theory is that Mr Putin ordered the group’s websites to be removed. If so, it would be a gesture to heed Mr Biden’s warning, which he had also expressed more generally when the two leaders met in Geneva on June 16. And it should only be a day or two before a US-Russian working group on the subject set up during the Geneva meeting is due to hold a virtual meeting.
A third theory is that REvil decided the heat was too intense and shut down the sites itself so as not to get caught in the crossfire between the American and Russian presidents. This is what another Russian group, DarkSide, did after the ransomware attack on Colonial Pipeline, the US company that had to shut down the pipeline that supplies gasoline and kerosene to much of the east coast in May after its computer network was breached.
However, many experts believe that DarkSide’s exit from the business was nothing more than digital theater and that all of the group’s major ransomware talents will be reassembling under a different name. If so, the same could happen to REvil, which Recorded Future, a Massachusetts-based cybersecurity firm, estimates is responsible for about a quarter of all sophisticated ransomware attacks on Western targets. .
Allan Liska, a senior intelligence analyst at Recorded Future, said if REvil went missing, he doubted it was voluntary. “If anything, these guys are show-offs,” said Mr. Liska. “And we saw no notes, no showing off. It feels like they gave up everything under pressure. “
There were indications that the pressure may have come from Russia. U.S. Cyber Command commander and director of the National Security Agency Gen. Paul M. Nakasone was not expected to have full options for U.S. action against ransomware actors until later this week, several officials said. And there was no evidence that REvil’s websites were “seized” by a court order that the Justice Department frequently publishes.
Cyber Command declined to comment.
While closing REvil would give Mr Putin and Mr Biden an opportunity to show that they are facing the problem, it could also give ransomware actors a chance to get away with their profits. The big losers would be the companies and cities that do not get their encryption keys and may be locked out of their data forever. (When ransomware groups break up, they often release their decryption keys. That didn’t happen on Tuesday.)
Mr Biden is expected to roll out a ransomware strategy in the coming weeks to prove that the Colonial Pipeline and other recent attacks show how crippling critical infrastructures pose a major national security threat.