REvil vanishes from the web without a trace
The mysterious shutdown comes only days after the ransomware group’s massive Kaseya cyber attack hit at least 1,000 businesses


The notorious ransomware gang REVil, also known as Sodinokibi, has disappeared from the internet, with its entire web presence rendered offline.
REvil has carved a reputation in recent years as being highly prolific, unafraid of targeting massive companies and demanding increasingly eye-watering sums of money following its attacks. The firm also licenses its malware in a form of ransomware as a service (RaaS) operating model.
According to various security researchers, the group’s servers and its payment sites are down, while its public spokesperson, who goes by 'Unknown', hasn’t been active since last Thursday. It’s too early to tell how or why all traces of REvil has vanished, and researchers are urging caution as speculation runs rife.
The shutdown is particularly strange given the timing, with REvil only days ago launching a massive attack against Kaseya that is said to have affected 1,500 businesses, with the group demanding a $70 million ransom in exchange for providing the universal decryption key. REvil also recently targeted Apple, threatening to release hardware schematics, and last year claimed to have made $100 million from its activities.
“It would seem that everything is down for REvil (landing page, payment, ‘helpdesk’ chat),” said Exabeam’s chief security strategist, Steve Moore.
“This outage could be criminal maintenance, planned retirement, or, more likely, the result of an offensive response to the criminal enterprise – we don’t know.
RELATED RESOURCE
2021 IBM Security X-Force Insider Threat Report
Top discovery methods and recommendations for insider attacks
In the absence of a definitive answer, speculation is rife on social media and within the cyber security community as to what might have caused this shutdown, with US-led enforcement action one of the prevailing theories. The operators behind the ransomware that targeted the US Colonial Pipeline, for instance, claimed they were targeted by law enforcement officials shortly after their major attack.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Other security specialists are speculating that it’s more likely to be hardware-related or even self-initiated. Ransomware and malware specialist Lawrence Abrams has suggested as much, claiming the disappearance could be part of a rebranding effort. He later added that LockBit ransomware representatives claim the authorities targeted one of REvil’s servers, which was subsequently wiped. REvil’s spokesperson, Unknown, was then also banned on the widely visited Russian-speaking hacking forum XSS.
Another cyber security expert, Kevin Beaumont, has claimed that such a disappearance isn’t too unusual, with different groups likely to have stability issues due to the way they operate. While it’s possible that law enforcement agencies targeted the group, it’s equally likely that REvil has had an internal falling out or hardware failure, he added.
In a later tweet, Beaumont reported that according to chatter on the dark web, REvil has performed an exit scam, and so has been purged from the internet. In cyber crime terms, an exit scam involves a group ceasing operating for its clients, by claiming that their databases were seized, for example, before walking away with deposits and providing their clients with nothing in exchange.
One well-known exit scam involved Jokeroo ransomware in 2019, in which the RaaS site claimed their servers were seized by the Royal Thai Police (RTP) alongside Europol and the Dutch National Police (DNP). Researchers, at the time, reached out to all three agencies, with Europol denying it was involved in any operation, according to Binary Defence.
Cyber security specialist with Eset, Jake Moore, has suggested the shutdown could be the result of enforcement action, with the increasing scale and breadth of new and improving police tactics starting to take effect.
“With recent state of the art techniques used to target displacing the money in other operations, it is clear that the police are beginning to turn the tide and fight back on digital crime,” he said.
“Although the detail in such law enforcement tactics still remains unknown to the public, it highlights the police are continuing to grow in their operations and fight from different angles. However, this setback for REvil will unlikely deter them completely, if anything, it may spur them on more.”
Steve Moore, from Exabeam, added that If the outage is the result of an offensive response, this then sends a message to these groups that they have a limited window in which to work.
“If a nation responds to criminals backed by and hosted in another country, this will change the definition of risk for affected private organisations,” he continued. “The question becomes, who is and isn’t ready to participate in this new theatre? If a nation engages in offensive ‘hack back’ operations, then to what degree should they defend private companies as well – which is arguably more valuable?”

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crime
News A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs