REvil Goes Down Again
REvil shuts down again after reappearing 2 months ago. Revil shutdown it's operations of its Tor payment portal and data leak. The information was revealed by an affiliate of REvil, identified as 0_neday, on the XSS hacking forum. The post stated that someone had hijacked the onion domains with the same private keys as that of REvil's sites. The post further stated that the hacker may have got hold of the backups and there were no signs of compromise on its actual servers. The post stated that for security reasons, the gang decided to shut down ransomware operations.
Researchers think that the hacker responsible may be Unknown, the original mastermind behind the REvil ransomware, who also was the official spokesperson of the gang. 0_neday stated that affiliates can still continue extorting their victims. He asked affiliates to reach out to him for campaign decryption keys through Tox. He can still provide a decryptor if the ransom has been paid.
This is the second time that REvil has shut down its operations. The first time they went down was in July after a high profile attack on Kaseya. However, it didn't last for long as the group were back in no time.
REvil being shut down is good news across the globe. However, the past disappearance and subsequent comeback showed that there is no such thing as a permanent shutdown when it comes to such well-organized ransomware gangs. Wile the REvil operators may have shut down this specific group, there is no doubt that individuals that was part of the REvil organization will continue to conduct ransomware attacks. IT administrators should stay protected from such threats by keeping a reliable backup and adopting proactive defenses.