REvil ransomware operators claim group is ending activity again, victim leak blog now offline

Cybercriminals claiming to be part of the REvil ransomware group have alleged that the gang is closing shop after the group lost control of vital infrastructure and had internal disputes. 

Recorded Future security expert Dmitry Smilyanets shared multiple messages on Twitter from ‘0_neday’ — a known REvil operator — discussing what happened on the cybercriminal forum XSS. He claimed someone took control of the group’s Tor payment portal and data leak website.

In the messages, 0_neday explains that he and “Unknown” — a leading representative of the group — were the only two members of the gang who had REvil’s domain keys. “Unknown” disappeared in July, leaving the other members of the group to assume he died. The group resumed operations in September but this weekend, 0_neday wrote that the REvil domain had been accessed using the keys of “Unknown.” 

In another message, 0_neday said, “The server was compromised and they were looking for me. To be precise, they deleted the path to my hidden service in the torrc file and raised their own so that I would go there. I checked on others — this was not. Good luck everyone, I’m off.”

Dmitry Smilyanets

REvil originally closed shop in July after the

Read More: https://www.zdnet.com/article/revil-ransomware-operators-claim-group-is-ending-activity-again-happy-blog-now-offline/#ftag=RSSbaffb68