REvil Ransomware’s Tor Sites Were Hijacked
It Seems Like the Ransomware Operation Has Shut Down Again.
REvil/Sodinokibi is highly evasive and upgraded ransomware, which uses a special social engineering move, as the ones who spread it will threaten to double the ransom if not paid within a certain number of days, as thoroughly explained by Elena.
REvil ransomware is dangerous for companies of all sizes as it became the 4th most distributed ransomware in the world, targeting mostly American and European companies.
REvil ransomware appears to have been taken down once more after an unknown individual allegedly took over their Tor payment gateway and data leak blog.
The Tor sites were knocked down earlier today after a malicious attacker linked to the REvil operation claimed on the XSS hacking forum that the group’s domains had been hacked.
— 𝕯𝖒𝖎𝖙𝖗𝖞 𝕾𝖒𝖎𝖑𝖞𝖆𝖓𝖊𝖙𝖘 (@ddd1ms) October 17, 2021
Dmitry Smilyanets was the one that initially detected the thread, which claims that an unknown individual hijacked the Tor hidden services (onion domains) using the same private keys as REvil’s Tor sites and presumably owns backups of the sites.
But since we have today at 17.10 from 12:00 Moscow time, someone brought up the hidden-services of a landing and a blog with the same keys as ours, my fears were confirmed. The third party has backups with onion service keys.
As BleepingComputer shows, REvil disclosed that they did not see any signs of compromise regarding their servers but will be shutting down the operation. Soon after the ransomware actor told the affiliates to contact him for campaign decryption keys via Tox.
This means that the group will let affiliates continue extorting their victims by providing a decryptor only if a ransom is paid.
An .onion domain – Tor hidden service – can only be launched with a public and private generated key pair – both keys are needed to start the service.
Because anyone with access to the private key might use it to establish the same .onion service on their own server, it must be kept safe and only available to trusted admins.
Since a third party was able to hijack the domains, they now have access to the private keys for the secret service. It is yet unknown who has hacked into their servers.
Is REvil Ransomware Gone for Good?
As you might remember REvil’s business shut down after the large attack aimed at the Kaseya MSP platform, when its public-facing representative, Unknown, disappeared.
After Unknown failed to return, the remaining REvil operators relaunched the operation and websites using backups in September.
Since then, the ransomware operation has struggled to attract users, even increasing affiliate commissions to 90% to lure additional threat actors to collaborate with them.