REvil Ransomware Group server and infrastructure is shut down

Sicherheit (Pexels, allgemeine Nutzung)[German]The websites and infrastructure of the REvil ransomware group have been suddenly shut down or offline since last night. Even the server used to pay the victims is no longer accessible. Currently, it is completely unclear what is behind this situation – and whether the group has been grounded by the state.


The REvil ransomware gang  (also known as Sodinokibi) is one of the most aggressive cyber actors in recent times, offering "ransomware as a service". To market itself, the group uses a kind of affiliate program where third parties are allowed to use its malware programs for criminal purposes. The group then receives a portion of the extorted funds as commission. The attack on meat producer JBS and most recently the supply chain attack on U.S. manufacturer Kaseya (see Kaseya hack affects 1,500 companies worldwide) has raised plenty of dust. In May 2021 the REvil Group had announced it would scale back its activities and no longer actively promote the service after the Darkside servers were seized.

REvil servers and infrastructure shut down

Since last night, REvil Group's websites as well as its payment servers and infrastructure have disappeared or been shut down. This can be seen from the following tweet and this post at Bleeping Computer. 

REvil disapeared

Those who try to access the group's Onion page are told that the page cannot be found. In this tweet, someone writes that the REvil pages have been down since July 13, 2021, 1:00 AM Eastern Standard Time (EST). The error message generally means that the Onion page is offline or has been disabled. Bleeping Computer writes that it is not unusual for REvil sites to be down for some time. But it is unusual for all pages of the REvil infrastructure to be shut down at the same time, they say. In addition, since the decoder[.]re clear web page no longer resolvable by DNS queries. This could indicate that the DNS records for the domain have been removed or that the backend DNS infrastructure has been shut down.

Currently, it is completely unclear what is behind this and whether the infrastructure there was deliberately shut down (there had been contact between US President Joe Biden and Russian President Putin on this issue). On the afternoon of July 13, the LockBit ransomware representative posted a message on the Russian-language XSS hacking forum that there were rumors that the REvil gang had wiped its servers after learning of a government subpoena. To that end, it says: at Bleeping Computer:


According to unconfirmed information, the REvil group has received a legal request from the Russian government forcing REvil to completely delete its server infrastructure and disappear. However, it did not confirm it.

Shortly after, the XSS admin banned the public-appearing representative of the REvil ransomware gang, named Unknown, from the forum. However, in this tweet, someone suspects that the REvil group is just changing its infrastructure after being in the focus of law enforcement. 

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *