Following the Kaseya attack fiasco, all clear web and dark web websites used by the REvil Ransomware gang for negotiations, data leaks and other backend infrastructure has been shut down as of July 13.
While it’s not unknown for the REvil gang, sometimes referred to as Sodinokibi, to lose connectivity, causing one or two of their sites to go down. All sites going down simultaneously indicates a total shutdown.
According to a tweet put out by MalwareHunterTeam, REvil’s clear web payment site decoder(dot)re has been taken down with now A records or DNS response, indicating a total backend shutdown.
In the News: BIMI security standard rolls out to all Gmail users
Is REvil on the run?
Alan Liska from Recorded Future also tweeted that all REvil sites went offline at around 1 AM EST on Tuesday.
A LockBit ransomware representative posted on the XSS hacking forum that it’s rumoured that REvil might’ve wiped their servers, fearing action from the US government.
The forum is in Russian mostly, but when run through Google Translate, the post reads, “according to unconfirmed information, a request from the authorities came to the REvil server, the server was immediately erased, and REvil went offline. But it is not confirmed”.
Following this, the XSS admin banned REvil’s public representative named ‘Unknown’ from the forum. Generally, forums like these ban members who attract unwanted attention, which certainly seems to be the case here.
It has also come to light that XSS has banned all ransomware related activities on its forums. The admin put out a post stating that all ransomware affiliate programs, ransomware rental and sale of ransomware software are prohibited, and any existing topics will be deleted.
The owner also felt that all the chatter around ransomware lately has brought unwanted attention to the site and has made it dangerous and toxic.