Just days after President Biden called President Vladimir V. Putin of Russia and demanded that he act to shut down ransomware groups that are attacking American targets, the biggest of them has gone off-line. The mystery is who made that happen.
The group, called REvil, short for “Ransomware evil,” is believed responsible for the attack that brought down one of America’s largest beef producers, JBS, and it took credit for a hack that affected thousands of businesses around the world over the July 4 holiday. On Friday, describing his ultimatum to the Russian president, Mr. Biden said “we expect them to act,” and when asked later if he would take down the group’s servers if Mr. Putin did not, the president simply said, “Yes.”
But that is only one possible explanation for what happened around 1 a.m. on Tuesday, when the group’s sites on the dark web suddenly disappeared. Gone was the publicly-available “happy blog’’ that the group maintained, listing its victims, and internet security groups said the custom-made sites where victims negotiate with REvil over how much they will pay to get their data unlocked were also missing.
While their disappearance was celebrated by many who see ransomware as a new scourge, one that Mr. Biden has called a critical national security threat, it left others in the lurch — unable to pay the ransom to get their data back, and their businesses back up and running.
“What’s the plan for the victims?” asked Kurtis Minder, the chief executive of Groupsense, a digital risk protection company that was negotiating with the extortionists on behalf of a regional law firm whose data was stolen.
There were three main theories floating around about why REvil, which seemed to revel in the publicity and reaped huge ransoms — including $11 million from JBS — suddenly disappeared.
One is that Mr. Biden ordered the United States Cyber Command, working with domestic law enforcement agencies, including the F.B.I., to bring it down. Cyber Command proved last year that it could do just that, paralyzing a ransomware group that it feared might turn its skills to freezing up voter registrations or other election data in the 2020 election.
The second theory is that Mr. Putin ordered the group taken down by Russia. If so, that would be a gesture toward heeding Mr. Biden’s warning, which he offered, in more general terms, when the two leaders met June 16 in Geneva.
And a third is that REvil decided that the heat was too intense, and took itself down to avoid becoming part of the crossfire between the American and Russian presidents. That is what another Russian-based group, Darkside, did after the ransomware attack on Colonial Pipeline, the U.S. company that had to shut down the gasoline and jet fuel running up the East Coast in May.
But many experts think that Darkside’s going-out-of-business move was digital theater, and that all of the key ransomware talent would reassemble under a different name. If so, the same could happen with REvil.
Just a few months ago, ransomware was considered largely a criminal problem. But after the attack on Colonial Pipeline, Mr. Biden and his advisers began to declare that attacks which threaten critical infrastructure constitute a major national security threat.