REvil ransomware shuts down again after Tor site on the dark web is hijacked
REvil is the notorious Russian-linked ransomware ring allegedly responsible for high-profile cyber attacks on Kaseya, Travelex and JBS earlier this year.
The REvil ransomware operation is likely to shut down again after an unknown individual hijacked their Tor payment portal and data breach blog.
The Tor site went offline earlier today after a threat actor affiliated with the REvil operation posted on the XSS hacking forum that someone had hijacked the group's domain.
The hijack was first discovered by Recorded Future's Dmitry Smilyanets, who noted that an unknown person had hijacked the Tor hidden service (The Onion domain) using the same private key as REvil's Tor sites, and may have a backup of those sites.
"But our fears have been confirmed since today, between 12:00 and 17:10 Moscow time, when someone presented the login and blogging hidden services with the same key as ours, and a third party has a backup of our Onion service key. "A threat actor known as "0_neday" posted on a hacker forum.
The threat actor went on to say that they had found no signs that their servers had been compromised, but would shut down the operation.
The threat actor then tells the affiliate to contact him through Tox to obtain the decryption key so the affiliate can continue to blackmail the victim and provide the decryptor when the ransom is paid.
To start the Tor hidden service (.onion domain), you need to generate a private and public key pair that will be used to initialize the service.
The private key must be secure and accessible only to trusted administrators, as anyone with access to this key can use it to start the same .onion service on their own server.
Since third parties are able to hijack these domains, this means that they also have access to the private key of the hidden service.
This evening, 0_neday posted again on the hacker forum thread, but this time saying that their servers had been compromised and that whoever did it was targeting the threatener.
At this point, it is unclear who hacked into their servers.
Since Bitdefender and law enforcement gained access to the master REvil decryption key and released a free decryptor, some threat actors believe the FBI or other law enforcement has had access to the server since its relaunch.
Since no one knows what happened, it is also possible that the threat actors are trying to regain control of the operation.
REvil may be permanently shut down
After REvil's massive attack on the company through a zero-day vulnerability in the Kaseya MSP platform, REvil's operations abruptly shut down and their public-facing representative, Unknown, disappeared.
After Unknown did not return, other operators of REvil reactivated the operation and website in September using backups.
Since then, the ransomware operation has been struggling to recruit users and has even increased affiliate commissions to 90% to entice other threat actors to work with them.
Due to this latest mishap, the current action on the forums will likely be lost forever.
However, nothing good will last forever for ransomware, and they will likely rebrand them as a new business soon.
From：On DarkNet – Dark Web News and Analysis
Copyright of the article belongs to the author, please do not reproduce without permission.