REvil Ransomware Sites Go Offline Again After Onion Domain Hack
The dark web sites operated by the REvil hacker group have gone offline once more after unknown individuals took control of their payment portal and data leak blog on October 17.
A cybercriminal associated with the ransomware operators, using the nickname 0_neday, posted a message on the XSS hacker forum announcing the takeover of REvil’s onion domains. “Since October 17 at 12:00 Moscow time, someone launched hidden services for the landing page and blog using the same keys as ours, confirming my fears. A third party has backups with the keys to the onion services,” 0_neday wrote.
To launch a hidden Tor service, a pair of public and private keys must be generated. The private key should only be accessible to trusted administrators, as its owner can launch the same .onion service on their own server.
Later, 0_neday reported that the group’s server had been compromised and that the attacker specifically targeted REvil. The hacker decided to cease all operations and offered affiliates to contact him via Tox to obtain decryption keys, allowing them to continue extorting victims independently.
At the time of writing, it is unknown who was behind the compromise of the hacker domains. However, experts do not rule out the involvement of the FBI or other law enforcement agencies.
Another possible explanation is an attempt by a REvil representative, known as Unknown or UNKN, to regain control of the sites. After the ransomware operation was relaunched, this individual disappeared and was rumored to have been arrested, but their fate remains unclear.
REvil, also known as Sodinokibi, is considered one of the largest hacker groups in the world. According to U.S. intelligence agencies, the cybercriminals carried out at least 15 attacks per month. In 2020, the group’s earnings exceeded $100 million.
On the night of July 13, 2021, REvil’s dark web sites suddenly went offline. This included the Happy Blog, used to publish victim data, as well as sites for negotiating ransom amounts and accepting payments.
In September, REvil operators used backups to relaunch their sites and began searching for potential partners.
For more news, follow ForkLog on Telegram: ForkLog Feed for the full news feed, and ForkLog for the most important news, infographics, and opinions.