REvil ransomware operation taken down by an unknown vigilante

Second shutdown in recent months could sound the death knell for ransomware gang

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The Tor sites of notoriousransomwareoperators known as REvil have once again gone offline, this time in response to an unknown vigilante hijacking the gang’s domains.

A threat actor affiliated with the REvil operation posted on an underground hacking forum that an unknown person has hijacked REvil’sTorpayment portal and data leak blog.

“But since we have today at 17.10 from 12:00 Moscow time, someone brought up the hidden-services of a landing and a blog with the same keys as ours, my fears were confirmed. The third party has backups with onion service keys,” a threat actor known as0_nedayposted to the hacking forum.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.

Click here to start the survey in a new window«

The threat actor reportedly went on to say that in response to the takeover the ransomware operators will be shutting down the operation.

Gone for good?

According to Recorded Future’s Dmitry Smilyanets, who discovered the forum post,0_nedaysaid that an unknown person hijacked the Tor hidden services, which have a .onion domain, using the same private keys as REvil’s Tor sites.

Launching a Tor .onion domain requires a private and public key pair to initialize the service. It appears the private key is now in the hands of someone else besides REvil, who have used it to launch the same .onion service on their own server, effectively hijacking REvil’s operations, forcing the shutdown.

This is the second time REvil has taken its web infrastructure offline, forced or otherwise. It onlycame back onlinelast month afterbeing offlinefor a majority of two months.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

However, since its return though, the group has reportedly been struggling to get threat actors to work with them, despite going as far as toincrease affiliate’s commission to 90%.

With this latest mishap,BleepingComputerfathoms REvil will likely be gone for good, at least in its current form.

ViaBleepingComputer

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics

This new phishing strategy utilizes GitHub comments to distribute malware

Smeg Combi Steam Oven review: a multi-functional countertop oven that looks stunning and cooks well