Cybercriminals claiming to be part of the REvil ransomware group have alleged that the gang is closing shop after the group lost control of vital infrastructure and had internal disputes.
Recorded Future security expert Dmitry Smilyanets shared multiple messages on Twitter from ‘0_neday’ — a known REvil operator — discussing what happened on the cybercriminal forum XSS. He claimed someone took control of the group’s Tor payment portal and data leak website.
In the messages, 0_neday explains that he and “Unknown” — a leading representative of the group — were the only two members of the gang who had REvil’s domain keys. “Unknown” disappeared in July, leaving the other members of the group to assume he died. The group resumed operations in September but this weekend, 0_neday wrote that the REvil domain had been accessed using the keys of “Unknown.”
In another message, 0_neday said, “The server was compromised and they were looking for me. To be precise, they deleted the path to my hidden service in the torrc file and raised their own so that I would go there. I checked on others — this was not. Good luck everyone, I’m off.”
REvil originally closed shop in July after the devastating attack on Kaseya infected hundreds of organizations across the world and caused untold damage. The group is one of the most prolific ransomware gangs currently operating, attacking hundreds of vital companies and organizations over the last few years.
But the group attracted immense law enforcement scrutiny following the July 4 attack on Kaseya and ended its operation on July 13. By September, the group returned, continuing to attack dozens of companies in the last few weeks.
According to The Record, the July 13 shut down happened because “Unknown” allegedly stole the group’s money and shut down their servers, making it difficult for those remaining to pay affiliates.
Smilyanets told the news outlet that he hoped the group had shut down because of law enforcement actions by US officials. The FBI and other US agencies faced significant backlash over the past few weeks because of their actions during the REvil attack on Kaseya.
The FBI admitted it had decryption keys that could have helped the nearly 1,500 ransomware victims affected by the Kaseya attack, but decided against it because they were preparing an operation to disrupt REvil’s infrastructure. The group closed shop before the operation could be seen through and the FBI has been harshly criticized by the organizations affected and lawmakers for waiting to hand out the decryption keys.
Bitdefender later released a free decryptor for all of the organizations affected by the Kaseya attack.
Opinions on the situation were mixed among experts, with some cautioning people not to believe the word of criminals. Others said the situation made sense because REvil was facing criticism from its own affiliates for their actions.
Allan Liska, a ransomware expert with Recorded Future, told ZDNet that there were two theories in his mind.
“Unknown (the former leader of REvil) ‘returned from the dead’ and was not happy that his software developers were trying to push his ransomware. The second is that a government agency managed to penetrate the server before they closed shop the first time, got Unknown’s private key and decided to take these new actors down,” Liska said.
“Normally, I am pretty dismissive of ‘law enforcement’ conspiracy theories, but given that law enforcement was able to pull the keys from Kaseya attack, it is a real possibility. The relaunch of REvil was ill conceived from the start. Rebranding happens a lot in ransomware after a shutdown. But no one brings old infrastructure that was literally being targeted by every law enforcement operation not named Russia in the world back online. That is just dumb.”
Liska said that while some may question whether the drama within the group is real, he believes it is legitimate, noting the internal controversy that has engulfed other ransomware groups this year.
“There is a lot of money in ransomware right now, and with lots of money is going to come drama,” he said.
But while the REvil operators may have shut down this specific group, Liska said there is no doubt that everyone who was part of the REvil organization will continue to conduct ransomware attacks.
“Whether it is through creating a new ransomware or becoming an affiliate for another ransomware group, it is hard to give up the money that can be made from ransomware,” Liska said.
Sean Nikkel, Digital Shadows senior cyber threat intel analyst, said REvil was already facing additional scrutiny from the broader cybercriminal community due to drama involving accusations of failing to pay those involved in its partnership program and claims that it effectively cut out affiliates and shared decryption keys with victims.
On XSS, Nikkel said 0_neday was asked about who would work with REvil after this latest series of problems, and the representative replied, “Judging by everything, I’ll be working on my own.”
“Reaction to the news from other forum members ranged from largely unsympathetic to bordering on conspiracy theory. The main area of debate was whether the group would rebrand for a third time, with many questioning whether the cybercriminal community would still trust REvil-related schemes,” Nikkel explained.
Nikkel added that opinions appeared split on whether REvil’s reputation would ensure the group’s continued success, with many pointing out that all publicity is good publicity, and predicting that the promise of profits would still entice affiliates to work with the group in the future.
“One theory doing the rounds posited that a disgruntled former team member, combined with poor password hygiene, could have resulted in the attack,” Nikkel added, noting that many users questioned the fact that this topic was even being discussed on the site at all considering XSS’s May 2021 ban on ransomware-related content.
“The XSS representative for the LockBit ransomware group claimed to have predicted this turn of events, providing links to their ‘prophetic’ forum posts. They questioned the REvil representative’s intention to leave the forum, opining ‘if the domains have been hijacked, this is 100% proof that someone had a root on the server, which means that your database has been leaked too.’ The LockBit representative even put forward the idea the new REvil forum account may in fact be operated by law enforcement,” Nikkel said.
Nikkel noted that in his opinion, the tone of the REvil’s forum posts indicate the group will be back in some form. But they may face difficulty returning after advertising for affiliates on a 90/10 profit-splitting basis, which is more than the group has shared in previous years.
“Despite this, and the many controversies that REvil has been involved in that could have eroded all trust in and willingness to cooperate with the group, it seems that the group’s infamy and the promise of high profits are simply too much of a lure for many cybercriminals, who have returned to work with the group time and time again,” Nikkel said.
Senior security researcher for DomainTools Chad Anderson added that his team discovered that REvil had a backdoor in its RaaS offering. After that, multiple affiliates of the REvil program confirmed they had been ripped off by the creators.
“It’s hard to say what’s real at this point. We’ve seen groups disappear only to be reborn as a more full featured affiliate program. We’ve seen groups of affiliates shift to better payment models and we’ve seen group sites be taken over by others and their source code leaked or re-used,” Anderson told ZDNet.
“At this point evidence suggests that the private keys for the Onion hidden services backing the REvil payment infrastructure have been compromised. This certainly could be a government agency operation but it’s just as likely without hard confirmation that it’s some other ransomware group. REvil made a lot of affiliates mad when it turned out their code had a backdoor that could let REvil operators steal from their affiliates.”
Emsisoft ransomware expert Brett Callow was skeptical of what was written in the cybercrime forum, noting that they double as press release services for ransomware gangs.
“Threat actors know that law enforcement, researchers and reporters monitor forums, and so use them to issue statements. They say only what they want people to know and believe,” Callow said.
“Whether REvil has really closed shop, or are scamming their affiliates, or have some other reason for going dark, is impossible to say.”