REvil, the infamous Russian affiliate Ransomware Gang responsible for the high profile Cyberattacks on Kaseya, Travelex and JBS earlier this year is after his gate The payment portal and data leak blog were allegedly hijacked.
The shutdown comes weeks after the group reappeared after a month-long hiatus during which the group went silent after encountering the U.S. government heat in response to his attack on Kaseyawhich resulted in thousands of businesses being infected with ransomware. The news of the shutdown was first alleged by a threat actor known to be linked to the REvil operation in a post on a well known criminal forum first discovered by Recorded Future Dmitry Smilyanets.
The threat actor’s post stated that the group’s Tor services were hijacked and replaced with a copy of the group’s private keys, likely from a previous backup. “The server was compromised and they were looking for me,” says the post. “To be precise, they deleted the path to my hidden service in the torrc file [used for configuring the Tor service] and raised their own so I would go there. I checked others – it wasn’t. Good luck to everyone, I’m gone. “
At the time of writing, it is not clear who compromised REvil’s servers. A report from The Washington Post in September said the FBI had received the group’s encryption keys for the companies hit by the Kaseya attack in July, but that the agency’s planned shutdown after the group’s disappearance never happened. Others are Notice of a possible takeover by a former group member known as “Unkn”, or Unknown, a longtime spokesman for the group who did not return when the rest of the group reappeared in September.
“With no confirmation of the reason for his loss, we went back to work thinking he was dead,” the threat actor explained in his forum post. “But since we have Moscow time today at 5:10 p.m. from 12:00 p.m., someone addressed the hidden services of a landing and a bog with the same key as ours, my fears were affected.”
VX-Underground, a website that hosts malware source code, samples, and papers, tweeted that only Unknown and the threat actor posting the forum had REvil domain keys and that the ransomware group’s domain was recently accessed using Unknown’s keys.
It remains to be seen whether REvil – linked to most of the ransomware detections in the second quarter of this year, according to McAfee – is gone for good. But since the group’s surprise reappearance in September, it has been struggling to recruit users, leading the group to increase its affiliate commissions attract new threat actors.
#REvil #ransomware #group #dark #Tor #sites #hijacked #TechCrunch