REvil cyber gang suspends activities after hijacking Tor sites

Sicherheit (Pexels, allgemeine Nutzung)[German]The REvil cyber-gang seems to have completely stopped its activities again since they recently resurfaced from obscurity. The background for the renewed exit is probably the fact that individual Tor nodes have probably been taken over. Thus, the REvil cyber gang once again remains in the headlines, after it recently became known that the gang also ripped off and booted out its own partners.


The REvil group

The REvil ransomware gang ((also known as Sodinokibi) is one of the most aggressive cyber actors in recent times, offering "ransomware as a service." To market itself, the group uses a kind of affiliate program where third parties are allowed to use its malware programs for criminal purposes. The group then receives a portion of the extorted funds as commission.

The attack on meat packer JBS and most recently the supply chain attack on U.S. manufacturer Kaseya (see Kaseya hack affects 1,500 companies worldwide) have raised plenty of dust. But smaller companies have also fallen victim to the gang. In mid-July 2021, the websites of the REvil group as well as their payment servers and infrastructure were shut down (I had reported in the blog post REvil Ransomware Group server and infrastructure is shut down).

A few weeks ago, a decryptor for REvil-encrypted files had been released (Bitdefender provides universal REvil decryptor). Furthermore, it became known that the ransomware gang had cheated on their own partners. While the gangs that had booked REvil's services and infected victims were still negotiating ransom, the REvil people got involved in those negotiations via a backdoor and took over the ransom. 

REvil appears and disappears again

If I noticed it correctly, then in mid-September 2021 there was an announcement that the REvil ransomware group was active again. This is because on September 7, 2021, Tor's negotiation, data leak, and payments pages were suddenly accessible again. A day later, it was again possible to log in to the Tor payment page and enter into negotiations with the gang. Bleeping Computer colleagues had reported here, for example.



However, various websites, including the above tweet and this article from Bleeping Computer, are now reporting that the REvil gang has gone underground again. An unknown person has hijacked the Tor payment portal and blog where data leaks were published, they say. The information was probably posted on the XSS hacking forum by someone connected to the REvil group. It says that someone hijacked the domains of the REvil gang.

This was discovered by Dmitry Smilyanets of Recorded Future. He discovered the post that says that an unknown person has hijacked the hidden Tor services (Onion domains) with the same private keys as REvil's Tor pages and probably has backups of the pages. One post states (see):

The server was compromised and they were looking for me. To be exact, they deleted the path to my hidden service in the torrc file and and put their own path so I (sic) would go there. I checked with others – that was not the case. Good luck to all, I'm out of here.

But what exactly is behind the story, who the attacker is and what is intended is unclear.

Similar articles:
Revil Ransomware hackers release first Trump files
REvil Ransomware attack at 200 Companies via Kaseya VSA and Management Service Provider (MSP)
Coop-Sweden closes 800 stores after Kaseya VSA supply chain attack by REvil gang
Kaseya hack affects 1,500 companies worldwide
REvil Ransomware Group server and infrastructure is shut down
Bitdefender provides universal REvil decryptor

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *