Once again, the REvil ransomware operations halted, after an anonymous person hacked their Tor payment gateway and data leak blog. The Tor sites were taken down earlier today when a threat actor linked to the REvil operation claimed, on the XSS hacking forum, that the group’s domains had been hacked.
Dmitry Smilyanets of Recorded Future was the first one to spot and report the forum thread. He said that an unknown individual hijacked the Tor hidden services (onion domains) using the same private keys as REvil’s Tor sites and presumably possesses their backups.
‘0 neday,’ a threat actor, posted to the hacking forum that someone pulled up the hidden services of a landing page and blog with identical keys. A third party keeps backups with onion service keys.
The threat actor further said that no evidence of penetration had been discovered on their systems but that they would be shutting down the operation. Then, the actor instructed affiliates to contact him via Tox for campaign decryption keys, presumably so that affiliates may continue to extort their victims while also providing a decryptor if a ransom is paid.
To start a Tor hidden service (with a .onion domain), you’ll need to produce a private and public key pair. Because anybody with access to the private key might use it to establish the same .onion service on their server, it must be kept safe and only available to trusted admins. As a third party can hijack the domains, they now have private keys for the hidden service.
0 neday replied to the hacking forum thread again last evening. This time, they claimed that their server had been hacked and that whoever did it was after a threat actor. It is yet unknown who has hacked into their servers.
The ransomware operation struggled to attract users since its administrators relaunched the operation and websites in September using backups. To lure new threat actors into collaborating with them, they have also increased affiliate commissions to 90%.
With this new blunder, the enterprise at its current location is very certainly doomed. However, when it comes to ransomware, nothing lasts long, and we should expect them to rebrand as a new group soon.