Good luck, everyone - REvil hacker after group's Tor site gets taken over

Updated on: 19 October 2021

Vilius Petkauskas
Deputy Editor

Only a month after coming back online, the notorious REvil cyber gang announced they were out again. Maybe for good this time.

The infamous REvil ransomware group, responsible for extortion attacks against meat supplier JBS and software company Kaseya appears to have run out of luck.

A month later, after coming back online, the group got hacked. The cartel was offline for two months from July after increased scrutiny, likely due to the Kaseya attack.

Security researcher Dmitry Smilyanets posted a thread from a Russian hacking website XSS on Twitter yesterday, showing a REvil member '0_neday' explaining that somebody hijacked cartels' Tor payment portal and data leak blog.

"But since we have today at 17.10 from 12:00 Moscow time, someone brought up the hidden-services of a landing and a blog with the same keys as ours, my fears were confirmed. The third-party has backups with onion service keys" 0_neday explained in a forum post.

According to the threat actor, there was no sign that the group's services were compromised, and the affiliates were instructed to contact the 0_neday to obtain encryption keys.

Later, however, the same account was spotted by Smilyanets to claim that servers were indeed compromised. The threat actor claims that somebody deleted the path to hidden services, trying to lure 0_neday into a trap.

"To be precise, they deleted the path to my hidden service in the torrc file and raised their own so that I would go there. I checked on others – this was not. Good luck, everyone, I'm off," the threat actor said.

REvil announcement — 0_neday's post on XSS forum.

Interestingly, malware researchers Vx-underground claim that the REvil domain was accessed using the key belonging to the gang's former PR representative 'Unknown,' who has been missing since July.

0_neday and Unknown were the only ones with access to REvil domain keys, and REvil insiders claim they thought Unknown was dead.

Security researchers on Twitter speculate that this might spell the end of REvil as the groups had difficulties recruiting affiliates after coming back online in September.

"Someone has keys to REvil's Tor hidden services. Given their difficulty recruiting affiliates after the post-Kaseya reboot, this is probably a death knell for the group" Breachquests' CTO Jake William posted on Twitter.

Others were not quick to shed any tears, noting that many cartels remain operational even with REvil out of the picture.

"RIP to REvil again, again. They will be survived by lots of other ransomware," NBC's Kevin Collier wrote.

Ragnar Locker Threatens Victims With Disclosure

Year in turmoil

Cyberattacks are increasing in scale, sophistication, and scope. In 2020, ransomware payments reached over $400 million, more than four times the level of 2019. This year will likely set another record benchmark for ransomware cartels globally.

The last 12 months were ripe with major high-profile cyberattacks on network management companies such as SolarWinds, the Colonial Pipeline's oil network, meat processing company JBS, and software firm Kaseya. Pundits talk of a ransomware gold rush, with the number of attacks increasing over 90% in the first half of 2021 alone.

Recently, a Russia-linked cyber cartel attacked a major US farm service provider New Cooperative Inc., demanding $5.9 million in ransom.

Meanwhile, ransomware recently dubbed Ranion offered an entirely different payment structure. The group only asks for an upfront payment for its malware without additional service fees.

A recent IBM report shows that an average data breach costs victims $4.24 million per incident, the highest in the 17 years. For example, the average cost stood at $3.86 million per incident last year, putting recent results at a 10% increase.

Good luck, everyone - REvil hacker after group's Tor site gets taken over

Year in turmoil

More from CyberNews