REvil ransomware gang’s web sites mysteriously shut down


The infrastructure and websites for the REvil ransomware operation have mysteriously disappeared from the dark web, speculating that the criminal enterprise may have been taken down.

The REvil ransomware operation, aka Sodinokibi, operates through numerous clear web and dark web sites used as ransom negotiation sites, ransomware data leak sites, and backend infrastructure.

The sites maintained by the group displays an error message “Onionsite not found”. The Tor Project’s Al Smith said that the onion site might be offline or disabled. To know for sure, one has to contact the onion site administrator.

REvil sites used to lose connectivity for some time, but it is unusual for all sites to shut down simultaneously.

Furthermore, the decoder[.]re clear website is no longer resolvable by DNS queries, possibly indicating the DNS records for the domain have been pulled or that backend DNS infrastructure has been shut down.

The group’s Tor network infrastructure on the dark web consists of one data leak blog site and 22 data hosting sites.

The LockBit ransomware representative posted to the XSS Russian-speaking hacking forum that it is rumored the REvil gang erased their servers after learning of a government subpoena.

REvil server infrastructure received a government legal request forcing REvil to completely erase server infrastructure and disappear. However, it is not confirmed.

The XSS admin banned REvil’s ‘Unknown,’ the public-facing representative of the ransomware gang, from the forum.

On July 2nd, the REvil ransomware gang encrypted approximately 60 managed service providers (MSPs) and over 1,500 individual businesses using a zero-day vulnerability in the Kaseya VSA remote management software.

REvil initially demanded $70 million for a universal decryptor for all victims but then dropped the price to $50 million.

Since then, the ransomware group has been under increased scrutiny by law enforcement.

Now, it is not sure whether REvil’s shut down of servers is for technical reasons, if the gang shut down their operation, or if a Russian or USA law enforcement operation took place.


Please enter your comment!
Please enter your name here