Ransomware Group REvil Dismantled in Raids, Russia Says

U.S. officials have said that the Kremlin could shut down hacker groups like REvil, but tolerates or even encourages them, as long as their targets are outside of Russia.

In July, following President Biden’s ultimatum, REvil went offline, fueling speculations about whether the Kremlin had ordered the group to go quiet, or the United States or its allies had managed to disrupt its operations, or the group itself had decided to go underground, fearing that the heat had become too intense.

However, it resurfaced two months later, reactivating a portal victims use to make payments. In October, it was again forced offline, temporarily, by a counter-hacking effort mounted by the governments of several countries, including the United States.

REvil, short for “ransomware evil” has been one of the most notorious ransomware hacking groups sought by United States law enforcement. Ransomware groups hack into a victim’s computer system and encrypt its data, effectively locking out the owners, and extort them for money — sometimes millions of dollars, paid in cryptocurrency — in return for reversing the encryption.

U.S. intelligence agencies identified REvil as responsible for the attack on one of America’s largest beef producers, JBS, last June, forcing the shutdown of nine beef plants. In the end, JBS said it had paid an $11 million ransom in Bitcoin. The operator of the Colonial Pipeline paid almost $5 million in Bitcoin.

REvil also took credit for what was described as the biggest ransomware hack ever in July, affecting up to 1,500 businesses around the world.

The organization boasted about its attacks on its site — called “Happy Blog” — on the dark web, where it listed some of its victims and earnings from its digital extortion schemes.