Jump to content
  • REvil ransomware gang's web sites mysteriously shut down


    Karlston

    • 706 views
    • 3 minutes
     Share


    • 706 views
    • 3 minutes

    REvil ransomware gang's web sites mysteriously shut down

     

    The infrastructure and websites for the REvil ransomware operation have mysteriously gone offline as of last night.

     

    The REvil ransomware operation, aka Sodinokibi, operates through numerous clear web and dark web sites used as ransom negotiation sites, ransomware data leak sites, and backend infrastructure.

     

    Starting last night, the websites and infrastructure used by the REvil ransomware operation have mysteriously shut down.

    REvil Tor site no longer accessible
    REvil Tor site no longer accessible

    "In simple terms, this error generally means that the onion site is offline or disabled. To know for sure, you'd need to contact the onion site administrator," the Tor Project's Al Smith told BleepingComputer.

     

    While it is not unheard of for REvil sites to lose connectivity for some time, all sites to shut down simultaneously is unusual.

     

    Furthermore, the decoder[.]re clear website is no longer resolvable by DNS queries, possibly indicating the DNS records for the domain have been pulled or that backend DNS infrastructure has been shut down.

    REvil domain no longer resolves to DNS queries
    REvil domain no longer resolves to DNS queries

    Recorded Future's Alan Liska said that the REvil web sites went offline at approximately 1 AM EST this morning.

     

    If you have first-hand information about the shut down, you can confidentially contact us on Signal at +16469613731 or on Wire at @lawrenceabrams-bc.

    Feeling the heat

    On July 2nd, the REvil ransomware gang encrypted approximately 60 managed service providers (MSPs) and over 1,500 individual businesses using a zero-day vulnerability in the Kaseya VSA remote management software.

     

    As part of these attacks, REvil initially demanded $70 million for a universal decryptor for all victims but quickly dropped the price to $50 million.

     

    Since then, the ransomware group has been under increased scrutiny by law enforcement, which did not seem to faze 'Unknown,' the public-facing representative of the ransomware gang.

     

    As these ransomware gangs commonly operate out of Russia, President Biden has been in talks with President Putin about the attacks and warned that if Russia did not act upon threat actors in their borders, the USA would take action themselves.

     

    "I made it very clear to him that the United States expects when a ransomware operation is coming from his soil even though it's not sponsored by the state, we expect them to act if we give them enough information to act on who that is," Biden said after signing an executive order at the White House.

     

    At this point, it is not clear if the shut down of these servers is simply a technical issue, if the gang shut down their operation, or if a law enforcement operation took place.

     

    Other ransomware groups, such as DarkSide and Babuk, shut down voluntarily due to the increased pressure by law enforcement.

     

    However, when ransomware groups shut down, the operators and affiliates commonly rebrand as a new operation to continue performing ransomware attacks. This was seen in the past when GandCrab shut down and many of its members relaunching as REvil.

     

    Babuk also relaunched as Babuk v2.0 after the original group splintered due to differences in how attacks were conducted.

     

    BleepingComputer has contacted the FBI with questions about possible law enforcement action but has not heard back at this time.

     

    This is a developing story.

     

     

    REvil ransomware gang's web sites mysteriously shut down


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...