[updated]REvil ransomware disappears after Tor services hijacked

[updated]REvil ransomware disappears after Tor services hijacked

With some pests you hope they never recover from a blow. It’s almost too good to be true, but one can hope. This is one of them. The REvil ransomware group has shut down their operation for the second time this year after losing control over their Tor-based domains.

Shutdown number 1

REvil’s first shutdown was in July 2021, after the gang successfully pulled off a supply chain attack against Managed Service Provider Kaseya. Shortly after this widespread incident all online traces of the gang weirdly seemed to vanish from the internet. In particular, the payment sites and data leak site were taken offline, along with the infrastructure for victims to make Bitcoin payments and get the decryption tools.

A lot of speculation ensued but there were no definite answers. Some said the group had joined forces with the DarkSide group to come back stronger under the name BlackMatter. Others claimed a victory for the good guys, hoping, almost against the odds, that some of the countermeasures taken by governments across the globe were starting to produce results. The Kaseya attack certainly had such an impact worldwide that it brought the full attention of international law enforcement to the group.

The group’s own story is that one of the group’s leaders took down the servers and disappeared with the group’s money, which left them unable to pay many of their affiliates.

The comeback

Unfortunately, a few months later, the REvil ransomware gang made a comeback, attacking new victims and publishing stolen files on a data leak site. The Tor payment and negotiation sites suddenly turned back on as well, with the timers for all prior victims reset to the day the infrastructure went offline.

Shutdown number 2

This time the shutdown looks to be a result of a hostile take-over. This week, the gang’s Tor payment portal and data leak blog were allegedly hijacked, and a spokesperson for the group said the server was compromised. The threat actor’s post on an underground forum said the group’s Tor services were hijacked and replaced to point to a different location.

And again speculation comes into play.

Allegedly, many affiliates were still waiting to be compensated for the losses they suffered when the group last disappeared. On top of that there are rumors that the developers of the ransomware hid a backdoor in their code, so that they can forego their affiliates and provide decryption keys directly to victims.

This doesn’t really make sense, in my view. But it is possible that a key exists that can decrypt the files of multiple, or maybe even all, victims. It wouldn’t be the first time.

Either way, cybercriminals that operate under covert identities rely on a strong base of trust if they want to continue to work together. And that trust in REvil seems to be at a low level, and may be totally gone depending on how this disappearing act turns out.

torcc file

In all the reports about the server takeover there is a mention of the torcc file. This is a text file that holds the configuration details for a Tor instance. The spokesperson for REvil claimed that the path to their hidden service was deleted and the attacker raised their own, hoping that they would go there. Basically, the hidden service in the torcc file is what points visitors of an .onion site to the correct webserver. Being able to alter that file requires a high level of access.

So, who do you think is responsible? Let us know in the comments. I have prepared a few choices, but obviously you can add your own options.

Option 1: An angry affiliate that has had enough.

Option 2: It was an inside job and yet another admin fled the scene with the money.

Option 3: Law enforcement shut down the operation and is now after the people behind it.

Option 4: A white hat hacker that wishes to remain anonymous for safety’s sake.

Option 5: It was just a glitch and they will be back next week, maybe under another name.

Option 6: It was the former group’s leader who was not amused to learn about the comeback.

Wink if you are not guessing, but know for a fact.

Update October 22, 2021

It looks as if those betting on Option3 have won. Reuters reported that the ransomware group REvil was itself hacked and forced offline this week by a multi-country operation, according to three private sector cyber experts working with the United States and one former official.

According to three people familiar with the matter, law enforcement and intelligence cyber specialists were able to hack REvil’s computer network infrastructure, obtaining control of at least some of their servers. It looks as if the REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised. A wrong assumption, which is ironic for creators of malware that makes it essential to have clean backups.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.