Russian Group Responsible for JBS Meat Plant Cyberattack Goes Offline

The Russian-based criminal syndicate that launched a Memorial Day ransomware attack on a major meat processor and a software company went offline Tuesday, but cybersecurity experts said it was too soon to say why and that nothing signaled a takedown by authorities.

REvil's dark web data-leak site and ransom-negotiating portals went dark, cybersecurity researchers said. The group drew global attention when it attacked the meat processor JBS and the Kaseya, the software company, damaging more than 1,000 businesses around the world.

On Friday, President Joe Biden implored Russian President Vladimir Putin on a call to get a handle on the attacks coming out of Russia, warning that the U.S. was prepared to defend its citizens and critical infrastructure.

"It could be that the server hardware failed, or that it was intentionally taken down, or that someone attacked their host," said Sean Gallagher, a threat researcher at the cybersecurity firm Sophos. He noted that REvil's public ransom-negotiating site was also down last week.

For more reporting from the Associated Press, continue below.

Putin
The Russian hacking group responsible for the JBS cyberattack has gone dark online. Here, Russian President Vladimir Putin attends an annual televised phone-in with the country's citizens at Moscow's World Trade Center studio on June 30, 2021. SERGEI SAVOSTYANOV/SPUTNIK/AFP/Getty Images

But there were no immediate or public signs that the government had anything to do with REvil appearing offline. It was also possible that the group was laying low after the attack, or switching methods "as we did expose them," said threat researcher Ryan Sherstobitoff of SecurityScorecard.

Spokespeople for the White House and U.S. CyberCommand, the Pentagon's cyber arm, declined to comment on Tuesday.

"We have seen no indicators for either voluntary shutdown nor of any offensive steps from law enforcement," said Alex Holden, founder and chief information security officer of Hold Security. "Right now, perhaps, it is too early to speculate, especially as REvil was building up their strength over the recent months."

"There is always a glimmer of hope that Russia is finally doing something right," he added.

Ransomware variants have previously disappeared as the criminals behind them retooled and modified their malware before introducing it under a new guise. That's what threat analysts believe happened with a precursor to the REvil ransomware-as-a-service software called Gandcrab. It was the most successful variant over a 15-month run that began in January 2018.

Ransomware
Cybersecurity experts say it's too soon to know why REvil went dark at this point. This Feb 23, 2019, file photo shows the inside of a computer in Jersey City, N.J. Jenny Kane/AP Photo