REvil, the notorious Russian-linked ransomware gang responsible for the high-profile cyberattacks on Kaseya, Travelex and JBS earlier this year, has once again disappeared after its Tor payment portal and data breach blog were allegedly hijacked.

The shutdown comes weeks after the group reappeared after a month-long hiatus, during which the group fell silent after facing heat from the U.S. government in response to its attack on Kaseya, which resulted in the infection of thousands of businesses with ransomware. News of the shutdown was first reported in an article on a known criminal forum by a threat actor known to be affiliated with Operation REvil, first discovered by Recorded Future. Dmitry smilyanets.

The threat actor’s post said the group’s Tor services had been hijacked and replaced with a copy of the group’s private keys, likely from an earlier backup. “The server was compromised and they were looking for me,” the post read. “To be precise, they deleted my service path hidden in the torrc file [used for configuring the Tor service] and raised theirs for me to go. I checked on the others – it wasn’t. Good luck everyone, I’m leaving.

What REvil’s Tor site looks like (at time of publication) following an apparent hijacking. (Image: TechCrunch)

As of this writing, it is not clear who compromised REvil’s servers. A report of The Washington Post said in September that the FBI had obtained the group’s encryption keys for businesses affected by the Kaseya attack in July, but that the agency’s planned withdrawal never took place after the group’s disappearance. Others are pointing to a possible takeover by a former member of the group, known as “Unkn”, or Unknown, a longtime spokesperson for the group, who did not return when the rest of the group reappeared in September.

“As there was no confirmation of the reason for his loss, we returned to work, believing he was dead,” the threatening actor explained in his forum post. “But as we have today at 5:10 p.m. from 12:00 p.m. Moscow time, someone brought up the hidden services of a landing and a bog with the same key as ours, my fears were concerned.”

VX-Underground, a website that hosts malware source code, samples, and documents, tweeted that only Unknown and the threat actor posting the forum had REvil domain keys and that the ransomware group’s domain was recently accessed using Unknown keys.

It remains to be seen whether REvil – linked to the majority of ransomware detections in the second quarter of this year, according to McAfee – is gone for good. But since the group’s surprise reappearance in September, it has struggled to recruit users, prompting the group to increase affiliate commissions to attract new threatening actors.