[TheRecord] REvil gang shuts down for the second time after its Tor servers were hacked

The REvil ransomware group has shut down its operation for the second time this year, claiming in a message posted on an underground hacking forum that they lost control over their Tor-based domains.

The group, considered one of the most successful ransomware operations to date, had been active since April 2019.

They shut down for the first time on July 13 this year, after one of their attacks against Kaseya servers during the July 4th US holiday hit thousands of businesses—in an incident that drew veiled threats and the attention of White House officials.

The decision to shut down operations was taken by the group’s leader and public figure, an individual named UNKN, who took down servers and disappeared with the group’s money, which left them unable to pay many of their affiliates—other groups who were helping REvil execute attacks and were splitting the profits.

The group, minus UNKN, made a formal return in early September using the same REvil name. To prove they were the same group as before, this new REvil incarnation restored all of their former Tor-hosted portals, such as their victim payment/extortion portal and data leak site.

As soon as they returned, the group’s members began launching new attacks.

But this Sunday, in a series of messages spotted by Recorded Future analyst Dmitry Smilyanets, the group’s new administrator, an individual named 0_neday, said that a third party compromised their Tor-based portal.

“The server was compromised and they were looking for me,” 0_neday said in a message, also translated and screenshoted below.

“To be precise, they deleted the path to my hidden service in the torrc file and raised their own so that I would go there,” 0_neday added, suggesting someone had created a clone of the legitimate REvil Tor backend panel.

Image: The Record
Image: The Record

The REvil server compromise came at a terrible time for this new incarnation of the REvil group, which was still dealing with the aftermath of their July shutdown.

Several affiliates were still trying to recover funds stolen by UNKN, the gang’s first admin, and the group’s developers were also accused of hiding a backdoor inside their code. The backdoor allegedly allowed the REvil admins to provide decryption keys to victims directly and force affiliates out of ransom negotiations and their ransom payment cut.

Since the cybercriminal underworld is mainly driven by reputation and trust, the writing was on the wall for 0_neday, who at this point chose to shut down the REvil operation for good, rather than deal with the gang’s ever-increasing bad reputation, most likely entirely gone after having its servers compromised over the weekend.

“I really hope we just witnessed an offensive operation by the US government,” Smilyanets told The Record. “That is how you deal with cybercriminals – using their own methods against them. Release the Hounds!”

The post REvil gang shuts down for the second time after its Tor servers were hacked appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[SANS ISC] TShark Tip: Extracting Field Values From Capture Files, (Sat, Dec 25th)

All posts, Sans-ISC

TShark is WireShark’s console program: it’s like WireShark, but with a command-line interface in stead of a GUI. TShark can process a capture file: use option -r to read and process the capture file, like this: Option -e can be used to display the value of a field, like ip.src. You have to combine option […]

Read More

[HackerNews] Update Your Chrome Browser to Patch New Zero‑Day Bug Exploited in the Wild

All posts, HackerNews

Google has pushed out a new security update to Chrome browser for Windows, Mac, and Linux with multiple fixes, including a zero-day that it says is being exploited in the wild. The latest patch resolves a total of eight issues, one of which concerns a type confusion issue in its V8 open-source and JavaScript engine […]

Read More

[ESET] Instagram and teens: A quick guide for parents to keep their kids safe

All posts, ESET feed

How can you help your kids navigate Instagram safely? Here are a few tips to help you protect their privacy on the app. The post Instagram and teens: A quick guide for parents to keep their kids safe appeared first on WeLiveSecurity Source: Read More (WeLiveSecurity)

Read More