Operations of the ransomware REvil were again suspended, as an unknown person hacked the group’s website, through which hackers accepted payments from victims and “leaked” data stolen from companies.
Edition Bleeping Computer reports that all Tor-sites have been disabled groups and REvil representative posted on the hacker forum XSS reported that someone grabbed domains, intruders.
Recorded Future specialist Dmitry Smilyanets was the first to notice this message, who said that an unknown person had seized onion domains of hackers using the same private keys as the REvil websites. That being said, the unknown person seemed to have access to the backups of the hack group’s sites.
“Since today, at 17.10 from 12:00 Moscow time, someone brought up the hidden services of the landing page and blog with the same keys as ours, my fears were confirmed. The third-party has backups with keys from onion-services, ”writes a REvil representative under the nickname 0_neday on the forum.
The fact is that to start the onion domain, you need to generate a pair of private and public keys, which is used to initialize the service. The private key must be protected and only available to administrators, as anyone who has access to it can use it to run the same onion service on their own server. Since the third party was able to take over the REvil domains, this means that it also had access to the group’s private keys.
Although at first, the hackers did not find any signs of compromising the servers, they nevertheless decided to stop the operations. The group’s partners were asked to contact the REvil operators through Tox to obtain decryption keys. This is done so that the partners can continue the extortion on their own and provide the victims with a decoder if they pay the ransom.
Later, 0_neday reported that the group’s server had been compromised, and an unknown attacker was targeting REvil.
Bleeping Computer notes that this time around, REvil has probably gone out of business for good. The fact is that recently the ransomware has already “disappeared from the radar” after scandalous attacks on the customers of the well-known MSP solution provider Kaseya and the JBS company, which is the world’s largest supplier of beef and poultry, as well as the second largest pork producer.
Although REvil eventually returned a few months later , some cybercriminals and information security experts believed that the FBI or other law enforcement agencies had gained access to the group’s servers and controlled them since the restart. After all, while REvil was inactive, Kaseya somehow obtained a universal key to decrypt its customers’ data. Then, many believed that Russian law enforcement officers received the decryption key from the attackers themselves and handed it over to the FBI as a gesture of goodwill.
In addition, in the past, a member of the group known as Unknown or UNKN has posted advertisements or the latest news about REvil operations on hacker forums. After restarting the operations of the ransomware, he disappeared, and the hackers themselves wrote that Unknown was probably arrested. What happened to him is still not known for certain, he, according to journalists, the current hack may be associated with Unknown and his attempts to regain control.
It is also important that after the restart, REvil’s reputation suffered, and the ransomware operators tried to attract new partners by any means. It got to the point that they offered a commission increase of up to 90%, just to encourage other attackers to work with them.
Catch up on more stories here