The infrastructure and websites of the REvil ransomware operation have been mysteriously offline since last night.
The REvil ransomware operation AKA Sodinokibi operates through many light and dark web sites that are used as ransomware sites, ransomware data leak sites, and backend infrastructure.
As of last night, the websites and infrastructure used by the REvil ransomware operation have mysteriously shut down.
“Simply put, this error usually means the Onion site is offline or disabled. To be sure, you need to contact the Onion site administrator,” Tor Project’s Al Smith told BleepingComputer .
While it is not uncommon for REvil sites to lose connectivity for a period of time, shutting down all sites simultaneously is unusual.
In addition, the decoder[.]the website is clear no longer resolvable by DNS queries, possibly indicating that the domain’s DNS records have been retrieved or that the primary DNS infrastructure has been shut down.
Saved futures Alan Liska said that the REvil websites went offline around 1 a.m. EST this morning.
This afternoon, the LockBit ransomware rep posted on the Russian-speaking XSS hacking forum that he believed the REvil gang had wiped out their servers after learning of a government subpoena.
“On unsubstantiated information, the REvil server infrastructure received a legal request from the government forcing REvil to completely wipe out the server infrastructure and disappear. However, this is not confirmed,” the message read in translated Russian. in English for BleepingComputer by Advanced Intel’s Vitali Kremez.
Shortly after, the XSS administrator banned from the “Unknown” forum of REvil, the public representative of the ransomware gang.
“Typically, the administration of major forums bans its users when they are suspected of being under police control,” Kremez explained.
If you have first-hand information about the shutdown, you can contact us confidentially on Signal at +16469613731 or on Wire at @ lawrenceabrams-bc.
Feel the heat
On July 2, the REvil ransomware gang encrypted approximately 60 Managed Service Providers (MSPs) and more than 1,500 individual businesses using a zero-day vulnerability in Kaseya VSA remote management software.
As part of these attacks, REvil initially requested $ 70 million for a universal decryptor for all victims, but quickly lowered the price to $ 50 million.
Since then, the ransomware group has come under increased surveillance by law enforcement, who did not seem to bother “Unknown”,
As these ransomware gangs typically operate from Russia, President Biden has been in talks with President Putin about the attacks and warned that if Russia does not act against threat actors at their borders, the States- United would take action themselves.
“I told him very clearly that the United States expects a ransomware operation to come from its soil, even if it is not state sponsored, that it will act if we give it enough information to act on who it is. ”Biden said after signing an executive order in the White House.
At this point, it is not clear whether the shutdown of REvil’s servers was due to technical reasons, whether the gang has shut down operations, or whether a Russian or US law enforcement operation has taken place.
Other ransomware groups, such as DarkSide and Babuk, have voluntarily shut down due to increased pressure from law enforcement.
However, when ransomware groups shut down, operators and affiliates typically rebrand themselves to a new operation to continue carrying out ransomware attacks. This has been seen in the past when GandCrab closed its doors and many of its members relaunched as REvil.
Babuk was also relaunched as Babuk v2.0 after the original group split due to differences in the way the attacks were carried out.
The FBI declined to comment on the shutdown of REvil’s servers.
This is a developing story.
Update 7/13/21 18:31 PM EST: Added more information to the hacking forums.