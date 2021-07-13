The group, called REvil, short for “Ransomware evil,” has been identified by US intelligence agencies as responsible for the attack that brought down one of America’s largest beef producers, JBS. Two weeks after Biden and Putin met in Geneva last month, REvil took credit for a hack that affected thousands of businesses around the world over the July 4 holiday.

Just days after President Biden called President Vladimir V. Putin of Russia and demanded that he act to shut down ransomware groups that are attacking American targets, the most aggressive of the groups suddenly went offline early Tuesday morning, terminating negotiations over ransom payments and even bringing down the page where it boasted about its most successful extortion schemes.

That latest attack led to Biden’s ultimatum in a phone call on Friday to the Russian president. Later, Biden said “we expect them to act,” and when asked by a reporter later if he would take down the group’s servers if Putin did not, the president simply said, “Yes.”

He may have done exactly that. But that is only one possible explanation for what happened around 1 a.m. Tuesday, when the group’s sites on the dark web suddenly disappeared. Gone was the publicly available “happy blog’' that the group maintained, listing its victims, and Internet security groups said the custom-made sites where victims negotiate with REvil over how much they will pay to get their data unlocked were also missing.

While their disappearance was celebrated by many who see ransomware as a new scourge, one that Biden has called a critical national security threat, it left some of the group’s targets in the lurch — unable to pay the ransom to get their data back and their businesses back up and running.

“What’s the plan for the victims?” asked Kurtis Minder, the chief executive of Groupsense, a digital risk protection company that was negotiating with the extortionists on behalf of a regional law firm whose data was stolen.

There were three main theories floating around about why REvil, which seemed to revel in the publicity and reaped huge ransoms — including $11 million from JBS — suddenly disappeared.

One is that Biden ordered the United States Cyber Command, working with domestic law enforcement agencies, including the FBI, to bring the group’s sites down. Cyber Command proved last year that it could do just that, paralyzing a ransomware group that it feared might turn its skills to freezing up voter registrations or other election data in the 2020 election.

The second theory is that Putin ordered the group’s sites taken down. If so, that would be a gesture toward heeding Biden’s warning, which he offered, in more general terms, when the two leaders met on June 16 in Geneva.

And a third is that REvil decided that the heat was too intense, and took the sites down itself to avoid becoming caught in the crossfire between the American and Russian presidents. That is what another Russian-based group, Darkside, did after the ransomware attack on Colonial Pipeline, the US company that had to shut down the gasoline and jet fuel running up the East Coast in May.

But many experts think that Darkside’s going-out-of-business move was digital theater, and that all of the key ransomware talent would reassemble under a different name. If so, the same could happen with REvil.

Just a few months ago, ransomware was considered largely a criminal problem. But after the attack on Colonial Pipeline, Biden and his advisers began to declare that attacks that threaten critical infrastructure constitute a major national security threat.