The REvil ransomware operation’s infrastructure and websites have unexpectedly vanished from the dark web, leading to speculation that the criminal operation has been shut down.
REvil, or Sodinokibi, is a ransomware operation that uses a variety of clear web and dark web portals as ransom negotiation sites, ransomware data leak sites, and backend infrastructure.
As per recent reports by BleepingComputer, the ransomware gang’s website has mysteriously vanished from the dark web.
An error message is displayed which says, “Onionsite not found” while accessing the website.
According to Al Smith of the Tor Project, the onion site may be down or disabled.
REvil sites used to lose connectivity for a short period of time, but it’s unusual for all of them to be down at the same time.
Furthermore, DNS queries no longer resolve the decoder[.]re clear website, possibly indicating that the domain’s DNS records have been withdrawn or that the backend DNS infrastructure has been shut down.
On the dark web, the group’s Tor network infrastructure includes one data leak blog site and 22 data hosting sites.
It is rumoured that the REvil gang wiped their servers after learning of a government subpoena, according to a LockBit ransomware representative who posted to the XSS Russian-speaking hacking forum.
REvil’s server infrastructure was subjected to a legal request from the government, which required REvil to fully wipe its server infrastructure and vanish.
It hasn’t been confirmed, yet.
REvil’s ‘Unknown,’ the ransomware gang’s public-facing member, was banned from the forum by the XSS moderator.
On July 2nd, the REvil ransomware gang used a zero-day vulnerability in the Kaseya VSA remote management system to encrypt around 60 managed service providers (MSPs) and over 1,500 individual businesses.
REvil demanded $70 million for a universal decryptor for all victims, but later lowered the price to $50 million.
Since then, law enforcement has been paying closer attention to the ransomware group.
It’s unclear whether REvil’s servers were taken down for technical reasons, if the gang shut down their operation, or if a Russian or US government enforcement operation was involved.
You might also like:
American fashion brand Guess suffers data breach
Magecart hackers hide stolen credit card data into images and fake CSS files
Kaseya issued fixes for flaws exploited in REvil ransomware attack
Kaseya supply-chain attack: Firms hit by REvil ransomware
Kaseya Supply-Chain attack: REvil ransomware gang demands $70 million
REvil ransomware attacks US nuclear weapons contractor