REvil ransomware gang darkens after their Tor sites are hacked
In July 2021, the REvil ransomware group disappeared due to mounting pressure from the United States following the attack on Kaseya. However, the group was back in September 2021 carrying out extortion-based DDoS attacks against internet phone service providers in UK and Canada / America.
The infamous REvil ransomware group has suddenly announced that it is shutting down its operations. The group, which rose to prominence in cyberspace with high-profile ransomware attacks against Kaseya, JBS, and Travelex this year, have reportedly decided to go underground after their Tor payment portal and data breach blog were hijacked.
News of the REvil shutdown was posted on a well-known criminal forum run by a threat actor “0_neday” suspected of being associated with the gang and was the first reported by Dmitry Smilyanets of Recorded Future.
It should be noted that in July 2021, the REvil ransomware group disappeared due to mounting pressure from the United States following the attack on Kaseya. However, the group was back in September 2021 carrying out extortion-based DDoS attacks against internet phone service providers in UK and Canada / America.
REvil announces the closure
The post where the group announced it was shutting down revealed that the REvil gang’s Tor services were said to have been hijacked and whoever had hacked it replaced the services with a copy of the gang’s private keys, which they must have. get from a previous backup. The server was claimed to be “compromised” and the group said in the post that “they were looking for me”.
“To be precise, they deleted my service path hidden in the torrc file [used for configuring the Tor service] and raised theirs for me to go. I checked on the others – it wasn’t. Good luck everyone, I’m leaving, âthe REvil operators noted in the post.
As the screenshot below shows, the operator used the infamous Russian-language hacker forum XSS.IS to publish his post:
Who hijacked the REvil Tor sites?
At this time, there is no clarity as to who might have hijacked the Tor sites from REVil. According to Washington post, the FBI had managed to gain access to the encryption keys used by the REvil gang for the Kaseya attack in July. But the agency was unable to eliminate the gang.
There are rumors that the Tor sites were taken over by a former member of the REvil group known as Unkn / Uknown, who served as a spokesperson for the gang but did not accompany them when the group resurfaced. in September 2021.
A website called VX-Underground tweeted that only Uknown and the threat actor on whose forum REvil’s closing statement was posted had access to domain keys, and the ransomware gang’s domain was recently accessed with keys to Unknown.
âSince there was no confirmation of the reason for his loss, we went back to work, believing he was dead. But as we have today at 5:10 pm from 12:00 am Moscow time, someone mentioned the hidden services of a landing and a bog with the same key as ours, my fears were concerned, âa explained the threatening actor.
However, in a conversation with Hackread.com, Steve Moore, Chief Security Strategist, Exabeam said, âThis latest disruption appears to be caused by insider fighting or a possible offensive withdrawal – that’s the blow. final for REvil. The operator only mentions a “third party” – no attempt is made to identify their identity.
âKeep in mind that these are organizations like any other, but with fewer rules. Based on the information shared, they lost control of their backups which contained keys to overtake their network. In the exciting twist, the opponent has apparently been knocked out due to poor technological hygiene, a loophole typically exploited by them to extort money from their victims, âMoore added.