The infrastructure and websites for the REvil ransomware operation have mysteriously gone offline as of last night.

The REvil ransomware operation, aka Sodinokibi, operates through numerous clear web and dark web sites used as ransom negotiation sites, ransomware data leak sites, and backend infrastructure.

Starting last night, the websites and infrastructure used by the REvil ransomware operation have mysteriously shut down.

REvil Tor site no longer accessible
REvil Tor site no longer accessible

While it is not unheard of for REvil sites to lose connectivity for some time, all sites to shut down simultaneously is unusual.

Furthermore, the decoder[.]re clear website is no longer resolvable by DNS queries, possibly indicating the DNS records for the domain have been pulled or that backend DNS infrastructure has been shut down.

REvil domain no longer resolves to DNS queries
REvil domain no longer resolves to DNS queries

On July 2nd, the REvil ransomware gang encrypted approximately 60 managed service providers (MSPs) and over 1,500 individual businesses using a zero-day vulnerability in the Kaseya VSA remote management software.

Since then, the ransomware group has been under increased scrutiny by law enforcement. As these ransomware gangs commonly operate out of Russia, President Biden has been discussing the attacks with President Putin and warning that if Russia did not act on threat actors in their borders, the USA would take action themselves.

At this point, it is not clear if the shut down of these servers is simply a technical issue, if the gang shut down their operation, or if a law enforcement operation took place.

Other ransomware groups, such as DarkSide and Babuk, shut down voluntarily due to the increased pressure by law enforcement. However, these threat actors commonly rebrand as a new group to continue performing ransomware attacks.

BleepingComputer has contacted the FBI with questions about possible law enforcement action but has not heard back at this time.

This is a developing story.