REvil, a ransomware gang behind multiple high-profile ransomware attacks in recent years, has shut down its ransomware operation once again after an unknown actor compromised the group’s Tor leak site and payment portal.
The hack was revealed by a REvil affiliate who goes online as '0_neday' in a post on the XSS hacking forum.
The message discovered by Recorded Future's Dmitry Smilyanets says that unidentified actors hijacked the group’s Tor hidden services with the same private keys as REvil's Tor sites.
“But since we have today at 17.10 from 12:00 Moscow time, someone brought up the hidden-services of a landing and a blog with the same keys as ours, my fears were confirmed. The third party has backups with onion service keys,” 0_neday said, adding that they found no signs that servers were compromised.
However, a little later 0_neday posted another message saying that the server was indeed compromised.
"The server was compromised and they were looking for me. To be precise, they deleted the path to my hidden service in the torrc file and raised their own so that I would (sic) go there. I checked on others - this was not. Good luck everyone, I'm off," 0_neday said in the post.
At present, it is unknown who compromised the gang servers.
The REvil ransomware operation attracted major scrutiny following a string of attacks on the meat giant JBS and the US-based software company Kaseya that impacted 60 MSPs and over 1,500 businesses, prompting the group to shut down their operation.
Several months later, the servers of the REvil ransomware gang came back online. At the time, a new group’s representative known as ‘REvil’ said that the gang went on break after the previous REvil’s representative known as ‘Unknown’ disappeared prompting concerns that he was arrested and servers were compromised.