REvil has once again shut down its operations as its Tor payment portal and data leak blog were offline for the second time in the span of a few months. The information was revealed by an affiliate of REvil, identified as 0_neday, on the XSS hacking forum.
How REvil disappeared
The post on the hacking forum was spotted by Recorded Future. In a series of posts put on the forum, 0_neday stated that an unknown individual has hijacked the Tor sites linked to REvil.
The post stated that someone had hijacked the onion domains with the same private keys as that of REvil’s sites.
The post further stated that the attacker may have got hold of only the backups and there were no signs of compromise on its actual servers. However, for security reasons, the gang decided to shut down ransomware operations.
In another post, the spokesperson claimed that the hacked REvil’s server now leads to some other services.
0_neday told other affiliates they can still continue extorting their victims. He asked affiliates to reach out to him for campaign decryption keys through Tox. He can still provide a decryptor if the ransom has been paid.
Researchers mentioned that it was possible that the attacker is ‘Unknown’, the original mastermind behind the REvil ransomware, who also was the official spokesperson of the gang.
0_neday said Unknown might have lost control after the previous shutdown attempt and is now trying to regain that control.
Blast from the past
This is the second time that REvil has shut down its operations. However, it didn’t last for long as the attackers were back in no time.
In July, the payment site, public site, helpdesk chat, and negotiation portal of the ransomware gang were found offline. The possible reasons behind it are either internal disputes or fear of increasing takedown attempts by law enforcement.
In September, the group’s dark web servers were active again with their payment, negotiation, and data leak sites being online.
REvil being shut down is indeed good news for enterprises across the globe. However, the past disappearance and subsequent comeback showed that there is no such thing as a permanent shutdown when it comes to such well-organized ransomware gangs. Thus, organizations should stay protected from such threats by keeping a reliable backup and adopting proactive defenses.