After Tor sites were compromised, the REvil Ransomware Gang went underground
REvil, the notorious ransomware gang responsible for a slew of cyberattacks in recent years, appears to have vanished once more, just over a month after the cybercrime group made a shocking return after a two-month sabbatical.
The discovery was made by Dmitry Smilyanets of Recorded Future when a member of the REvil organisation wrote on the XSS hacking forum that anonymous actors had taken control of the gang’s Tor payment gateway and data leak website.
“The server was compromised and they were looking for me. To be precise, they deleted the path to my hidden service in the torrc file and raised their own so that I would (sic) go there. I checked on others – this was not. Good luck everyone, I’m off,” user 0_neday said in the post.
As of this writing, it is unclear who was responsible for the hack of REvil’s servers, though it wouldn’t be shocking if government enforcement authorities played a role in pulling the domains down.
Following its attacks on JBS and Kaseya earlier this year, the Russia-linked ransomware organisation was forced to shut down its darknet domains in July 2021. However, on September 9, 2021, REvil made a surprising comeback, reactivating both its data leak site as well as its payment and negotiating sites.
The Washington Post revealed last month that the FBI withheld for nearly three weeks from sharing the decryptor with victims of the Kaseya ransomware attack, which it obtained by accessing the group’s servers, as part of a scheme to disrupt the gang’s harmful actions. “The planned takedown never occurred because in mid-July REvil’s platform went offline — without U.S. government intervention — and the hackers disappeared before the FBI had a chance to execute its plan,” the report added.
After collecting the digital key from a “law enforcement partner,” Romanian cybersecurity firm Bitdefender eventually shared a universal decryptor in late July.
While it is common for ransomware groups to evolve, splinter, or reorganise under new names, the criminal field has increasingly come under scrutiny for targeting critical infrastructure, even as more cybercriminals recognise the profitability of ransomware, which is aided in part by the unregulated cryptocurrency landscape, allowing threat actors to extort victims for digital payments with impunity.