The infamous ransomware organization REvil, which has been behind a number of attacks in recent years, seems to have vanished from sight once again.
Records Future’s Dmitry Smilyanets was the first to notice the change, which occurred after a member of the REvil hacking group revealed on the XSS hacking forum that the gang’s Tor payment gateway and data leak website had been taken over by unknown individuals.
According to a post by a user named 0_neday, the REvil’s server has been hacked and the path to its hidden service in the torrc file has been deleted and replaced with another one.
There is still no information about who stays behind the compromise of REvil’s servers, but it is highly possible that law enforcement authorities may have had a thing to do with the domains being taken down.
After attacking JBS and Kaseya earlier this year, the Russia-linked ransomware organization came under intense investigation, forcing it to take its darknet domains offline in July 2021. As it turned out, REvil made a surprise comeback to the internet on September 9, 2021, resurrecting its data leak site along with payment and negotiating sites.
According to a report by The Washington Post from the last month, the FBI withheld the decryptor it acquired by hacking the gang’s servers victims for almost three weeks before sharing it with Kaseya ransomware attack victims as part of a strategy to disrupt the gang’s harmful operations. After REvil’s site was taken down without US government involvement in mid-July, the hackers vanished before the FBI could carry out its plan, according to the report.
In late July, the Romanian cybersecurity company Bitdefender obtained the digital key from an unnamed “law enforcement partner,” and made it available to the victims.
Ransomware groups are known to change their names, split up and even vanish from the sight for some time, only to re-emerge on the cyber criminal scene with more sophisticated attacks on critical infrastructure. This is because more cybercriminals are realizing the profitability of ransomware, which is aided by the unregulated cryptocurrency landscape.