Infamous ransomware gang REvil is reportedly shutting down again after getting hacked itself.

REVil, also known as Sodinokibi, first appeared in May 2019 and since that time has been a prolific ransomware group linked to dozens of attacks. Notable attacks include the ransomware attack on information technology management software from Kaseya Ltd. earlier this year.

The group then went offline in July at around the same time pressure was put on Russia to act on ransomware gangs operating in the country. It returned in September until once again going offline today.

Sounding more like a soap opera, alleged details of why REvil went offline in July and why it’s shutting down now have been published by a REvil operator on a Russian hacking forum. In both cases, hackers apparently hijacked the ransomware gang.

Flashpoint reported that the disappearance in July was attributed to an unidentified person, aptly dubbed “Unknown,” accessing the REvil domain. Unknown is said to have had access to the group’s keys and is believed to have obtained access to backups.

Users on the Russian forum were reportedly incredulous, with a suggestion from the LockBit ransomware gang that the reemergence of REvil in September was a part of a U.S. Federal Bureau of Investigation plot to catch REvil affiliates.

Forward to today and REvil’s Happy Blog and Tor payment portal are offline again. On the same Russian hacking forum, an alleged REvil representative said an unknown individual accessed parts of the back end of REvil’s website’s landing page and blog, leading the person to conclude that a third party had access to the website backups and Onion service keys.

REvil affiliates were asked to contact the group via Tox to obtain keys for their existing ransomware campaigns, with the spokesperson adding that the group would now be going offline.

Digital Shadows reported that forum users were unsympathetic to REvil’s demise and openly discussed conspiracy theories. One such theory is whether a disgruntled former team member, combined with poor password hygiene, could have resulted in the attack. Forum members also speculated whether REvil could return again and that perhaps this was nothing more than a publicity stunt.

“This latest disruption seems to be caused by insider fighting or possible offensive takedown – it’s the final blow to REvil,” Steve Moore, chief security strategist at cybersecurity and compliance solution provider Exabeam Inc., told SiliconANGLE. “The operator only mentions a ‘third party’ – no attempt is made to identify their identity.

Moore said that based on information shared, the group lost control of its backups, which contained keys to overtake its network. “In the exciting twist, the adversary was seemingly taken down due to weak technology hygiene, a flaw generally exploited by them to extort money from their victims,” he added.

Photo: U.S. Air Force