REvil ransomware operation taken down by an unknown vigilante

The Tor sites of notorious ransomware operators known as REvil have once again gone offline, this time in response to an unknown vigilante hijacking the gang’s domains.

A threat actor affiliated with the REvil operation posted on an underground hacking forum that an unknown person has hijacked REvil’s Tor payment portal and data leak blog.

“But since we have today at 17.10 from 12:00 Moscow time, someone brought up the hidden-services of a landing and a blog with the same keys as ours, my fears were confirmed. The third party has backups with onion service keys,” a threat actor known as 0_neday posted to the hacking forum.

The threat actor reportedly went on to say that in response to the takeover the ransomware operators will be shutting down the operation. 

Gone for good?

According to Recorded Future’s Dmitry Smilyanets, who discovered the forum post, 0_neday said that an unknown person hijacked the Tor hidden services, which have a .onion domain, using the same private keys as REvil’s Tor sites.

Launching a Tor .onion domain requires a private and public key pair to initialize the service. It appears the private key is now in the hands of someone else besides REvil, who have used it to launch the same .onion service on their own server, effectively hijacking REvil’s operations, forcing the shutdown.

This is the second time REvil has taken its web infrastructure offline, forced or otherwise. It only came back online last month after being offline for a majority of two months.  

However, since its return though, the group has reportedly been struggling to get threat actors to work with them, despite going as far as to increase affiliate’s commission to 90%.

With this latest mishap, BleepingComputer fathoms REvil will likely be gone for good, at least in its current form.

Via BleepingComputer