Renowned ransomware gang REvil is tipped by experts to have once more shut down after its data leak blog and Tor payment portal were hacked by an unidentified entity.

The gang’s Tor sites disappeared offline while an affiliate threat actor of REvil posted that the ransomware group’s domains were hijacked on the popular hacker forum XSS.

A shutdown revealed

REvil’s status was first discovered when Dmitry Smilyanets of expert cyber intelligence firm Recorded Future encountered the forum thread online. The post stated that an unknown individual had hijacked Tor hidden services using identical private keys employed for REvil’s own Tor sites. It commented that it was likely the hijacker also obtained access to backups of the Tor sites.

The threat actor, known as 0_neday, added that they had found no signs of any compromise to REvil’s servers and that the ransomware gang would be shutting down its operation.

0_neday then informed affiliates to contact them for campaign decryptors using the encrypted messaging protocol Tox. This instruction was likely intended to enable affiliates to continue extorting funds from victims, and to give them access to the necessary decryption key to release when ransoms were paid.

Who is behind the hijacking of REvil’s ransomware operation?

To initiate a Tor hidden service, also known as an onion domain, users must generate a public and private key pair. This is then used to launch the service.

Private keys must be safeguarded and only accessible by trusted administrators. The reason for this is that anyone who can access the key can potentially launch the same onion service on a server under their own control.

As a third party successfully hijacked the domains in this instance, this means they must have possessed full access to the Tor hidden service’s dedicated key pair.

Another post was made later by 0_neday in the same XSS forum topic, stating that since the earlier message the server had also been compromised. The threat operator suggested that the individual responsible was specifically targeting REvil.

Previously law enforcement and Bitdefender gained total access to the REvil’s master decryption key and aided its victims by releasing a free decryption device. This has led many threat actors to believe that either the FBI or another law enforcement agency has maintained access to the servers REvil uses, since it recently relaunched its operation.

After the REvil ransomware gang carried out a massive attack on numerous companies via a zero-day vulnerability in the well-known Kaseya MSP platform, it suddenly shut down, and its public face dubbed “Unknown” vanished without a trace. The high-profile nature of the attack focused the attention of world governments and law enforcement agencies on REvil’s operation and, fearing capture, many thought the gang had permanently disbanded.

Recently, a new incarnation of REvil returned to the cybercrime landscape using the gang’s websites and backups, but without the presence of “Unknown”. Since then, the gang has struggled to re-establish its status in the ransomware world and has been forced to incentivise its hiring of affiliates with inflated payments.