The group resurfaced a few weeks ago after closing shop in July, leaving researchers skeptical of this latest shut down.
Cybercriminals claiming to be part of the REvil ransomware group have alleged that the gang is closing shop after the group lost control of vital infrastructure and had internal disputes. Recorded Future security expert Dmitry Smilyanets shared multiple messages on Twitter from ‘0_neday’ — a known REvil operator — discussing what happened on the cybercriminal forum XSS. He claimed someone took control of the group’s Tor payment portal and data leak website. In the messages,0_neday explains that he and “Unknown” — a leading representative of the group — were the only two members of the gang who had REvil’s domain keys. “Unknown” disappeared in July, leaving the other members of the group to assume he died. The group resumed operations in September but this weekend,0_neday wrote that the REvil domain had been accessed using the keys of “Unknown.” In another message,0_neday said, “The server was compromised and they were looking for me. To be precise, they deleted the path to my hidden service in the torrc file and raised their own so that I would go there. I checked on others — this was not. Good luck everyone, I’m off.” REvil originally closed shop in July after the devastating attack on Kaseya infected hundreds of organizations across the world and caused untold damage. The group is one of the most prolific ransomware gangs currently operating, attacking hundreds of vital companies and organizations over the last few years. But the group attracted immense law enforcement scrutiny following the July 4 attack on Kaseya and ended its operation on July 13. By September, the group returned, continuing to attack dozens of companies in the last few weeks. According to The Record, the July 13 shut down happened because “Unknown” allegedly stole the group’s money and shut down their servers, making it difficult for those remaining to pay affiliates. Smilyanets told the news outlet that he hoped the group had shut down because of law enforcement actions by US officials. The FBI and other US agencies faced significant backlash over the past few weeks because of their actions during the REvil attack on Kaseya. The FBI admitted it had decryption keys that could have helped the nearly 1,500 ransomware victims affected by the Kaseya attack, but decided against it because they were preparing an operation to disrupt REvil’s infrastructure. The group closed shop before the operation could be seen through and the FBI has been harshly criticized by the organizations affected and lawmakers for waiting to hand out the decryption keys. Bitdefender later released a free decryptor for all of the organizations affected by the Kaseya attack. Opinions on the situation were mixed among experts, with some cautioning people not to believe the word of criminals.
