REvil shuts down - again

REvil shuts down - again

Image:
REvil shuts down - again

The hacking group has ironically been hacked

An admin of the REvil ransomware group has said that the gang is shutting down - again - following internal disputes among operators.

That's a polite way of saying one of the admins went rogue and stole all the money.

Dmitry Smilyanets, an analyst and former hacker at cybersecurity firm Recorded Future, tweeted screengrabs from the XSS cybercrime forum, where REvil operator 0_neday discussed what had happened.

0_neday claims his fellow operator 'Unknown' (aka UNKN) took control of the group's Tor payment portal and data leak website. Unknown - the only person aside from 0_neday with access to REvil's domain keys - had vanished in July, around the time that REvil first disappeared. The other group members assumed he had died (which, I guess, is a normal thing in criminal circles?).

While speculation at the time was that law enforcement had finally caught up with the gang, The Record says Unknown actually stole all the group's money and shut down the servers on their way out, leaving REvil unable to pay its affiliates.

The group returned to life in September, minus Unknown, using all the same infrastructure as before. It looks like this was a mistake, as it allowed Unknown - or someone with their domain keys - to compromise REvil's server.

0_neday wrote:

"The server was compromised and they were looking for me. To be precise, they deleted the path to my hidden service in the torrc file and raised their own so that I would go there. I checked on others -- this was not. Good luck everyone, I'm off."

Allan Liska, a ransomware expert also with Recorded Future, shared two theories:

"[The first theory is that] Unknown (the former leader of REvil) 'returned from the dead' and was not happy that his software developers were trying to push his ransomware. The second [theory] is that a government agency managed to penetrate the server before they closed shop the first time, got Unknown's private key and decided to take these new actors down.

"Normally, I am pretty dismissive of 'law enforcement' conspiracy theories, but given that law enforcement was able to pull the keys from Kaseya attack, it is a real possibility. The relaunch of REvil was ill conceived from the start. Rebranding happens a lot in ransomware after a shutdown. But no one brings old infrastructure that was literally being targeted by every law enforcement operation not named Russia in the world back online. That is just dumb."

Whether or not the internal REvil drama is real or not, the group's operators are likely to continue launching attacks in the future - either on their own or under a new brand. There is simply too much money in ransomware to justify leaving it for many.