The second theory is that Mr. Putin ordered the group’s sites taken down. If so, that would be a gesture toward heeding Mr. Biden’s warning, which he had also conveyed, in more general terms, when the two leaders met on June 16 in Geneva. And it would come just a day or two before a U.S.-Russia working group on the issue, set up during the Geneva meeting, is supposed to hold a virtual meeting.
A third theory is that REvil decided that the heat was too intense, and took the sites down itself to avoid becoming caught in the crossfire between the American and Russian presidents. That is what another Russian-based group, DarkSide, did after the ransomware attack on Colonial Pipeline, the U.S. company that in May had to shut down the pipeline that provides gasoline and jet fuel to much of the East Coast after its computer network was breached.
But many experts think that DarkSide’s going-out-of-business move was nothing but digital theater, and that all of the group’s key ransomware talent will reassemble under a different name. If so, the same could happen with REvil, which Recorded Future, a Massachusetts cybersecurity firm, estimates has been responsible for roughly a quarter of all the sophisticated ransomware attacks on Western targets. .
Allan Liska, a senior intelligence analyst at Recorded Future, said that if REvil has disappeared, he doubted it was voluntary. “If anything, these guys are braggadocios,” Mr. Liska said. “And we didn’t see any notes, any bragging. It sure feels like they abandoned everything under pressure.”
There were suggestions that the pressure may have come from Russia. The commander of United States Cyber Command and director of the National Security Agency, Gen. Paul M. Nakasone, was not expected to get the full options for U.S. action against ransomware actors until later this week, several officials said. And there was no evidence that REvil’s sites had been “seized” by a court order, which the Justice Department frequently posts.
Cyber Command declined to comment.
While shutting REvil for now would give Mr. Putin and Mr. Biden a chance to show they were confronting the problem, it could also give the ransomware actors an opportunity to walk away with their winnings. The big losers would be the companies and towns that do not get their encryption keys, and are locked out of their data, perhaps forever. (Often when ransomware groups disband, they publish their decryption keys. That did not happen on Tuesday.)
Mr. Biden is expected to roll out a ransomware strategy in coming weeks, making the case that Colonial Pipeline and other recent attacks show how crippling critical infrastructure constitutes a major national security threat.