REvil ransomware shuts down again after Tor site hijacking
The REvil ransomware operation likely came to a standstill again after an unknown person hijacked their Tor payment portal and data breach blog.
The Tor sites went offline earlier today, with a threatening actor affiliated with Operation REvil posting on the XSS hacking forum that someone had hacked the gang’s domains.
The yarn was first discovered by Recorded Future Dmitry smilyanets, and states that an unknown person hijacked Tor’s hidden services (onion domains) with the same private keys as the REvil Tor sites and probably has backups of the sites.
âBut as we have today at 5:10 pm from 12:00 am Moscow time, someone brought up the hidden services of a landing and blogging with the same keys as ours, my fears were confirmed. third party has backups with onion service keys, “a threat actor known as ‘0_neday’ posted on the hacking forum.
The threat actor went on to say that he found no sign of compromise on his servers, but would stop the operation.
The threat actor then asked affiliates to contact him to get campaign decryption keys through Tox, presumably so that affiliates can continue to extort their victims and provide a decryptor if a ransom is paid.
To start a Tor hidden service (a .onion domain), you need to generate a private and public key pair, which is used to initialize the service.
The private key should be secure and accessible only to trusted administrators, as anyone with access to this key could use it to launch the same .onion service on their own server.
Since a third party has successfully hijacked the domains, it means that they also have access to the private keys of the hidden service.
Tonight 0_neday posted again on the hacking forum topic, but this time saying their server was compromised and the one that did it was targeting the threat actor.
At this time, it is not known who compromised their servers.
While Bitdefender and law enforcement gained access to the REvil master decryption key and released a free decryptor, some malicious actors believe that the FBI or other law enforcement gained access to the servers from their restart.
Since no one knows what happened to Unknown, it is also possible that the threatening actor is trying to regain control of the operation.
REvil has probably closed its doors for good
After REvil carried out a massive attack on businesses via a zero-day vulnerability in the Kaseya MSP platform, Operation REvil suddenly came to a halt and its public representative, Unknown, disappeared.
After Unknown did not return, the rest of the REvil operators launched the operation and websites again in September using backups.
Since then, the ransomware operation has struggled to recruit users, going as far as increase affiliate commissions to 90% to get other threatening actors to work with them.
With this latest incident, the operation in its current forum will likely be over for good.
However, no good thing lasts forever when it comes to ransomware, and we’ll likely see it rebranded as a new operation soon.