The incident was first noticed by Dmitry Smilyanets of Recorded Future after a member of the REvil operation reported on the XSS hacking discussion board that anonymous actors had taken control of the gang’s Tor cost portal and knowledge leak web site.
REvil Ransomware gang disappears again. But this time around, the criminal group likely shut down its operations as both their payment portal and data leak site have been a victim of hacking.
The REvil ransomware gang attacked the Kaseya cloud-based MSP platform on July 2, affecting MSPs and their customers. For decoding all computers affected by the Kaseya supply-chain ransomware attack the organisation demanded $70 million in Bitcoin.
The infrastructure and websites used by the REvil ransomware gang have been started from July 13th. At the same time, the Tor leak site, the payment website “decoder[.]re,” and their backend infrastructure went down. It’s unclear whether the operators shut down the business after being pressured by law police.
“The server was compromised and they were looking for me. To be precise, they deleted the path to my hidden service in the torrc file and raised their own so that I would (sic) go there. I checked on others – this was not. Good luck everyone, I’m off,” user 0_neday said in the post.
Following its attacks on JBS and Kaseya earlier this year, the Russia-linked ransomware gang drew widespread attention, causing it to shut down its darknet domains in July 2021. REvil, on the other hand, made an unexpected comeback on September 9, 2021, restoring both its knowledge leak website as well as its cost and portals online.
Washington Post Reported that , as part of a plan to disrupt the gang’s malicious activities. The FBI obtained the code through hacking the group’s servers. “The planned takedown never happened because REvil’s platform went offline in mid-July — without U.S. government participation — and the hackers disappeared before the FBI could carry out its plan.”
REvil’s partner organisations have stated that the ransomware gang reportedly hijacks their partners using a backdoor route in order to keep the entire ransom.
It’s unclear whether the operators shut down the operations in response to law enforcement pressure following the recent Kaseya large ransomware attack, or if the infrastructure was seized as a part of a law enforcement investigation.