Just days after President Biden referred to as President Vladimir V. Putin of Russia and demanded that he act to close down ransomware teams which can be attacking American targets, probably the most aggressive of the teams out of the blue went off-line early Tuesday morning, terminating negotiations over ransom funds and even bringing down the web page the place it boasted about its most profitable extortion schemes.
The thriller is who made that occur.
The group, referred to as REvil, brief for “Ransomware evil,” has been recognized by U.S. intelligence businesses as answerable for the assault that introduced down one among America’s largest beef producers, JBS. Two weeks after Mr. Biden and Mr. Putin met in Geneva final month, REvil took credit score for a hack that affected hundreds of companies world wide over the July four vacation.
That newest assault led to Mr. Biden’s ultimatum in a cellphone name on Friday to the Russian president. Later, Mr. Biden stated “we expect them to act,” and when requested by a reporter later if he would take down the group’s servers if Mr. Putin didn’t, the president merely stated, “Yes.”
He could have finished precisely that. But that is just one doable rationalization for what occurred round 1 a.m. Eastern time on Tuesday, when the group’s websites on the darkish internet out of the blue disappeared. Gone was the publicly out there “pleased weblog’’ that the group maintained, itemizing its victims, and web safety teams stated the custom-made websites the place victims negotiate with REvil over how a lot they’ll pay to get their knowledge unlocked had been additionally lacking.
While their disappearance was celebrated by many who see ransomware as a brand new scourge, one which Mr. Biden has referred to as a crucial nationwide safety risk, it left among the group’s targets within the lurch — unable to pay the ransom to get their knowledge again and their companies again up and working.
“What’s the plan for the victims?” requested Kurtis Minder, the chief govt of Groupsense, a digital threat safety firm that was negotiating with the extortionists on behalf of a regional regulation agency whose knowledge was stolen.
There had been three essential theories floating round about why REvil, which appeared to revel within the publicity and reaped enormous ransoms — including $11 million from JBS — suddenly disappeared.
One is that Mr. Biden ordered the United States Cyber Command, working with domestic law enforcement agencies, including the F.B.I., to bring the group’s sites down. Cyber Command proved last year that it could do just that, paralyzing a ransomware group that it feared might turn its skills to freezing up voter registrations or other election data in the 2020 election.
The second theory is that Mr. Putin ordered the group’s sites taken down. If so, that would be a gesture toward heeding Mr. Biden’s warning, which he offered, in more general terms, when the two leaders met on June 16 in Geneva.
And a third is that REvil decided that the heat was too intense, and took the sites down itself to avoid becoming caught in the crossfire between the American and Russian presidents. That is what another Russian-based group, Darkside, did after the ransomware attack on Colonial Pipeline, the U.S. company that had to shut down the gasoline and jet fuel running up the East Coast in May.
But many experts think that Darkside’s going-out-of-business move was digital theater, and that all of the key ransomware talent would reassemble under a different name. If so, the same could happen with REvil.
Just a few months ago, ransomware was considered largely a criminal problem. But after the attack on Colonial Pipeline, Mr. Biden and his advisers began to declare that attacks that threaten critical infrastructure constitute a major national security threat.