REvil ransomware gang’s web sites mysteriously shut down
The framework and also internet sites for the REvil ransomware procedure have mysteriously gone offline since last evening.
The REvil ransomware procedure, also known as Sodinokibi, runs via various clear web and also dark web sites made use of as ransom money arrangement sites, ransomware information leakage sites, and also backend framework.
Starting last evening, the internet sites and also framework made use of by the REvil ransomware procedure have mysteriously shut down.
“In simple terms, this error generally means that the onion site is offline or disabled. To know for sure, you’d need to contact the onion site administrator,” the Tor Project’s Al Smith informed BleepingComputer.
While it is not unusual for REvil sites to shed connection for a long time, all sites to shut down concurrently is uncommon.
Furthermore, the decoder[.] re clear site is no longer resolvable by DNS questions, potentially showing the DNS documents for the domain name have actually been drawn or that backend DNS framework has actually been shut down.
Recorded Future’s Alan Liska said that the REvil web sites went offline at around 1 AM EST today.
This mid-day, the LockBit ransomware depictive published to the XSS Russian- talking hacking online forum that it is reported the REvil gang removed their web servers after discovering of a federal government subpoena.
“Upon uncorroborated information, REvil server infrastructure received a government legal request forcing REvil to completely erase server infrastructure and disappear. However, it is not confirmed,” the message states in Russian converted to English for BleepingComputer by Advanced Intel’s Vitali Kremez.
Soon after, the XSS admin prohibited REvil’s ‘Unknown,’ the public-facing rep of the ransomware gang, from the online forum.
“As a rule of thumb, the administration of the top forums bans its users when they are suspected of being under the police control,” described Kremez.
If you have first-hand details concerning the shut down, you can in complete confidence call us on Signal at +16469613731 or on Wire at @lawrenceabrams- bc.
Feeling the warmth
On July 2nd, the REvil ransomware gang secured around 60 took care of provider ( MSPs) and also over 1,500 specific organizations utilizing a zero-day susceptability in the Kaseya VSA remote administration software application.
As component of these strikes, REvil originally required $70 million for a global decryptor for all targets however promptly dropped the price to $50 million
Since after that, the ransomware team has actually been under boosted analysis by police, which did not appear to daunt ‘Unknown,’
As these ransomware gangs generally run out of Russia, President Biden has actually remained in talks with President Putin concerning the strikes and also advised that if Russia did not act on risk stars in their boundaries, the USA would certainly act themselves.
“I made it very clear to him that the United States expects when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is,” Biden claimed after authorizing an exec order at the White House.
At this factor, it is unclear if REvil’s shut down of web servers is for technological factors, if the gang shut down their procedure, or if a Russian or USA police procedure occurred.
Other ransomware teams, such as DarkSide and also Babuk, shut down willingly because of the boosted stress by police.
However, when ransomware teams shut down, the drivers and also associates generally rebrand as a brand-new procedure to proceed executing ransomware strikes. This was seen in the past when GandCrab shut down and also a number of its participants relaunching as REvil.
Babuk likewise relaunched as Babuk v2.0 after the initial team splintered because of distinctions in exactly how strikes were carried out.
BleepingComputer has actually gotten in touch with the FBI with concerns concerning feasible police activity however has actually not listened to back right now.
This is an establishing tale.
Update 7/13/21 6:31 PM EST: Added even more details concerning hacking discussion forums.