The spreaders of the REvil ransomware are shutting down (again) now that their payment portal, server and site itself have been hacked.
REvil was able to release its ransomware at several large companies in the past year. After the attack on software company Kaseya this summer, the sites of the ransomware gang already disappeared. Now that seems to be happening again, this time because the organization itself became a victim.
According to Bleeping Computer, 0_neday, a user affiliated with the gang reported on a forum that both the Tor payment portal and their blog were hacked and taken over by unknown persons. Later, that person also confirmed that the organization’s servers had been compromised.
The circumstances are vague, but it seems that someone got hold of the private keys of the sites and started the same service on a different server. 0_neday suggests that this is how the perpetrator tried to hit or track down the REvil gang itself.
So it’s very similar to REvil’s discontinuation, although that’s not the first time. In the meantime, a lot of work has been done by law enforcement and security companies.
For example, there has been a decryption key for REvil for a while now. There is, of course, nothing to exclude the perpetrators from resuming their activities under a different name, possibly with other malware.