BNG ENT

Main Menu

  • Home
  • Community forum
  • Forum workshop
  • Forum sites
  • Forum committee
  • Forum hosting

BNG ENT

Header Banner

BNG ENT

  • Home
  • Community forum
  • Forum workshop
  • Forum sites
  • Forum committee
  • Forum hosting
Forum sites
Home›Forum sites›REvil ransomware shuts down again after Tor site hijacking

REvil ransomware shuts down again after Tor site hijacking

By Corrine K. Thomas
October 17, 2021
0
0


The REvil ransomware operation likely came to a standstill again after an unknown person hijacked their Tor payment portal and data breach blog.

The Tor sites went offline earlier today, with a threatening actor affiliated with Operation REvil posting on the XSS hacking forum that someone had hacked the gang’s domains.

The yarn was first discovered by Recorded Future Dmitry smilyanets, and states that an unknown person hijacked Tor’s hidden services (onion domains) with the same private keys as the REvil Tor sites and probably has backups of the sites.

“But as we have today at 5:10 pm from 12:00 am Moscow time, someone brought up the hidden services of a landing and blogging with the same keys as ours, my fears were confirmed. third party has backups with onion service keys, “a threat actor known as ‘0_neday’ posted on the hacking forum.

The threat actor went on to say that he found no sign of compromise on his servers, but would stop the operation.

The threat actor then asked affiliates to contact him to get campaign decryption keys through Tox, presumably so that affiliates can continue to extort their victims and provide a decryptor if a ransom is paid.

XSS Forum Topic on Hacked REvil Sites
XSS Forum Topic on Hacked REvil Sites

To start a Tor hidden service (a .onion domain), you need to generate a private and public key pair, which is used to initialize the service.

The private key should be secure and accessible only to trusted administrators, as anyone with access to this key could use it to launch the same .onion service on their own server.

Since a third party has successfully hijacked the domains, it means that they also have access to the private keys of the hidden service.

Tonight 0_neday posted again on the hacking forum topic, but this time saying their server was compromised and the one that did it was targeting the threat actor.

Message from the forum indicating that the REvil server has been compromised
Message from the forum indicating that the REvil server has been compromised

At this time, it is not known who compromised their servers.

While Bitdefender and law enforcement gained access to the REvil master decryption key and released a free decryptor, some malicious actors believe that the FBI or other law enforcement gained access to the servers from their restart.

Since no one knows what happened to Unknown, it is also possible that the threatening actor is trying to regain control of the operation.

REvil has probably closed its doors for good

After REvil carried out a massive attack on businesses via a zero-day vulnerability in the Kaseya MSP platform, Operation REvil suddenly came to a halt and its public representative, Unknown, disappeared.

After Unknown did not return, the rest of the REvil operators launched the operation and websites again in September using backups.

Since then, the ransomware operation has struggled to recruit users, going as far as increase affiliate commissions to 90% to get other threatening actors to work with them.

With this latest incident, the operation in its current forum will likely be over for good.

However, no good thing lasts forever when it comes to ransomware, and we’ll likely see it rebranded as a new operation soon.



Related posts:

  1. Ransomware Gangs Using Data Leaking Sites to Recruit New Affiliates
  2. Huawei Launches Next Generation APM5950 Cabinet Solution, Helping Build Green Sites
  3. City and CreateTO announce development partners for two ongoing housing sites
  4. British heritage sites part of solutions to climate change, new report says
Tagslaw enforcement

Categories

  • Community forum
  • Forum committee
  • Forum hosting
  • Forum sites
  • Forum workshop

Recent Posts

  • Govt. Justice, companies set to settle with major creditor | West Virginia
  • The Day – Norwich School Building Committee opts for four new elementary schools
  • Dublin City Council refuses to map sites for Travelers’ Homes in city development plan
  • ATP Partners with COSAT to Host First South American Challenger Workshop | ATP tour
  • Anti-career supporters gather for the Mitchell Shire Council community forum

Archives

  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • December 2020
  • October 2020
  • August 2020
  • June 2020
  • May 2020
  • February 2020
  • October 2019
  • September 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • December 2018
  • August 2018
  • May 2018
  • March 2018
  • April 2016
  • November 2015
  • Privacy Policy
  • Terms and Conditions