REvil, the notorious Russian-linked ransomware gang responsible for the high-profile cyberattacks on Kaseya, Travelex and JBS earlier this year, has disappeared again after its Tor payment portal and data leak blog were allegedly hijacked.
News of the shutdown was first claimed in a post on a known criminal forum by a threat actor known to be affiliated with the REvil operation, first discovered by cybersecurity company Recorded Future’s Dmitry Smilyanets.
A threat actor from the group has revealed the disruption on a hacking forum formally announcing that REvil has suspended operations.
Steve Moore, Chief Security Strategist at Exabeam says: "This latest disruption seems to be caused by insider fighting or possible offensive takedown – it’s the final blow to REvil. The operator only mentions a “third party” – no attempt is made to identify their identity.
"Keep in mind these are organisations like any other, but with fewer rules. Based on information shared, they lost control of their backups which contained keys to overtake their network. In the exciting twist, the adversary was seemingly taken down due to weak technology hygiene, a flaw generally exploited by them to extort money from their victims.”
Thomas Cartlidge, Head of Threat Intelligence at Six Degrees adds: "To most of us, the news of REvil's difficulties will not change the level of ransomware threat. In the past quarter we saw a record number of ransomware attacks against UK organisations, many of them believed to be launched by criminals other than REvil. What does this mean? Well, despite the trials and tribulations of one particular ransomware operator, it shows that the threat to organisations remains stark and that the operating model of these criminals is robust. I believe that we shouldn’t focus on the disappearance of one Tor payment portal, but instead on the broader issue of why these attacks are still so successful."
Neil Jones, Cybersecurity Evangelist at Egnyte concludes: "When malware infrastructure goes offline- even temporarily- that's obviously good news for businesses. However, I would encourage organisations not to let their guards down, and to continue with the proven detection and mitigation strategies that have gotten them through the recent ransomware crisis. Realistically, new ransomware infrastructure can be brought online quickly, so we all need to remain vigilant. Continual steps must be taken to thwart ransomware groups, and the public and private sectors must come together at the highest levels to challenge multi-million dollar cybercriminal gangs."