REvil ransomware group disappears again

On Sunday, October 17, the famous REvil’s Happy Blog ransomware went offline and is no longer accessible. Following an attack, as part of its extortion plan, REvil would threaten to post stolen information on this page unless the victim pays the ransom.

On the same day, one of the bad actors behind REvil said the group was shutting down the Russian cybercrime forum XSS after its domain was “hacked”. claiming that an unidentified individual had used the Tor private keys of the former group spokesperson, “Unknown”, to gain access to the REvil domain.

This is what Flashpoint revealed, whose analysts are regular the evolution of the situation around the reappearance of REvil.

Satnam Narang, research engineer for security firm Tenable, claims the name REvil is a combination of “ransomware” and “evil”. The criminal group is also known as Sodinokibi and is behind some of the most notorious ransomware attacks, including Kaseya in July of this year.

REvil acts as a criminal enterprise that sells hacking technology and other tools of malfeasance to third party hackers. Its members have created an online dark web infrastructure for other hackers to post stolen information and collect ransomware payments, taking a share of all payments.

In July of this year, REvil closed its doors because its operators believed that Unknown was missing. However, between 12 p.m. and 5 p.m. Moscow time, the group claimed that their domain was accessed using keys from Unknown, confirming their fears that a third party would have backups with their service keys.

The operator of REvil claimed that the ransomware server was compromised and the hijacker removed the access of the representative of the group called 0-neday to his hidden administration server. 0_neday claimed the hijacker was looking for them and signed to XSS wishing the members good luck.

Flashpoint analysts said this was an unexpected turn in REvil’s attempt to rebuild its operations as the group had recently started recruiting new associates on RAMP, a new ransomware-as-a-service forum. Russian-speaking, and offered unusually high commissions. 90% to attract them.

Flashpoint says its analysts are monitoring the situation and will provide updates as they arise.

XSS forum users were wary of this new announcement, and spokesperson for the LockBit ransomware gang claimed that this latest disappearance is proof that the reemergence of REvil in September of this year was part of an elaborate FBI plot. to catch REvil affiliates.

Several bad actors agreed with this assessment and added that they believed REvil would reappear under a brand new name, leaving recent scandals behind and without having to pay old affiliates.

Another cybercriminal added, paraphrasing Shakespeare, “Something is rotten about ransomware.”

REvil ransomware group disappears again

Source link REvil ransomware group disappears again

Back to top button