Cryptolaemus cybersecurity experts: The malware distribution process is the same used to distribute BazarLoader.
Dmitry Smilyanets: REvil disappears again after losing control of Tor payment portal and data leak website. The ransomware group went off the radar again, following a message from its element user 0_neday
REvil ransomware group goes again under the radar, after an affiliate posted on the XSS hacking forum that unidentified actors had taken control of the gang’s Tor payment portal and data leak website. It has been reported by The Hacker News, quoting the discovery of the Recorded Future’s cybersecurity expert, Dmitry Smilyanets. “The server was compromised and they were looking for me. To be precise, they deleted the path to my hidden service in the torrc file and raised their own so that I would (sic) go there. I checked on others – this was not. Good luck everyone, I’m off,” user 0_neday said in the post. As of writing, it isn’t clear exactly who was behind the compromise of REvil’s servers, although it wouldn’t be entirely surprising if law enforcement agencies played a role in bringing down the domains.
The decryptors issue
Last month, the Washington Post reported that the FBI held back from sharing the decryptor with the victims of Kaseya ransomware attack for nearly three weeks, which it obtained from accessing the group’s servers, as part of a plan to disrupt the gang’s malicious activities. “The planned takedown never occurred because in mid-July REvil’s platform went offline — without U.S. government intervention — and the hackers disappeared before the FBI had a chance to execute its plan,” the report added. A universal decryptor was eventually shared by Romanian cybersecurity firm Bitdefender in late July after acquiring the digital key from a “law enforcement partner.” Moreover, the cybercrime group staged a surprise returning one month ago, following a two-month-long hiatus.