REvil ransomware group goes dark after its Tor sites were hijacked

REvil, the notorious Russian-linked ransomware gang responsible for the high-profile cyberattacks on Kaseya, Travelex and JBS earlier this year, has disappeared again after its Tor payment portal and data leak blog were allegedly hijacked.

The shutdown comes weeks after the group re-emerged following a months-long hiatus, during which the group went quiet after facing heat from the U.S. government in response to its attack on Kaseya, which resulted in thousands of companies becoming infected with ransomware. News of the shutdown was first claimed in a post on a known criminal forum by a threat actor known to be affiliated with the REvil operation, first discovered by Recorded Future’s Dmitry Smilyanets.

The threat actor’s post said the group’s Tor services were hijacked and replaced with a copy of the group’s private keys, likely from an earlier backup. “The server was compromised and they were looking for me,” the post reads. “To be precise, they deleted the path to my hidden service in the torrc file [used for configuring the Tor service] and raised their own so that I would go there. I checked on others — this was not. Good luck everyone, I’m off.”

What REvil’s Tor site looks like (at the time of publication) following an apparent hijack. (Image: TechCrunch)

At the time of writing, it isn’t clear who compromised REvil’s servers. A report by The Washington Post in September said the FBI had obtained the group’s encryption keys for the companies hit by the Kaseya attack in July, but that the agency’s planned takedown never happened after the group disappeared. Others are pointing to a possible takeover by a former group member, known as “Unkn,” or Unknown, a long-time spokesperson for the group, who did not return when the rest of the group reemerged in September.

“Since there was no confirmation of the reason for his loss, we resumed work, thinking that he was dead,” the threat actor explained in their forum post. “But since we have today at 17.10 from 12:00 Moscow time, someone brought up the hidden-services of a landing and a bog with the same key as ours, my fears were concerned.”

VX-Underground, a website that hosts malware source code, samples and papers, tweeted that only Unknown and the forum-posting threat actor had REvil domain keys and that the ransomware group’s domain was recently accessed using Unknown’s keys.

It remains to be seen whether REvil — linked to the majority of ransomware detections in the second quarter this year, according to McAfee — is gone for good. But since the group’s surprise reappearance in September, it has struggled to recruit users, prompting the group to increase its affiliate commissions to entice new threat actors.