# REvil ransomware shuts down again after Tor sites were hijacked **[bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/](https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/)** Lawrence Abrams By [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) October 17, 2021 07:19 PM 2 The REvil ransomware operation has likely shut down once again after an unknown person hijacked their Tor payment portal and data leak blog. The Tor sites went offline earlier today, with a threat actor affiliated with the REvil operation posting to the XSS hacking forum that someone hijacked the gang's domains. [The thread was first discovered by Recorded Future's Dmitry Smilyanets, and states that an](https://twitter.com/ddd1ms) unknown person hijacked the Tor hidden services (onion domains) with the same private keys as REvil's Tor sites and likely has backups of the sites. "But since we have today at 17.10 from 12:00 Moscow time, someone brought up the hidden-services of a landing and a blog with the same keys as ours, my fears were confirmed. The third party has backups with onion service keys," a threat actor known as ----- 0_neday posted to the hacking forum. The threat actor went on to say that they found no signs of compromise to their servers but will be shutting down the operation. The threat actor then told affiliates to contact him for campaign decryption keys via Tox, likely so affiliates could continue extorting their victims and provide a decryptor if a ransom is paid. **XSS forum topic about REvil sites being hijacked** To launch a Tor hidden service (an .onion domain), you need to generate a private and public key pair, which is used to initialize the service. The private key must be secured and only accessible to trusted admins, as anyone with access to this key could use it to launch the same .onion service on their own server. As a third party was able to hijack the domains, it means they too have access to the hidden service's private keys. This evening, 0_neday once again posted to the hacking forum topic, but this time saying that their server was compromised and that whoever did it was targeting the threat actor. ----- **Forum post stating the REvil server was compromised** At this time, it is unknown who compromised their servers. As Bitdefender and law enforcement gained access to the master REvil decryption key and [released a free decryptor, some threat actors believe that the FBI or other law enforcement](https://www.bleepingcomputer.com/news/security/free-revil-ransomware-master-decrypter-released-for-past-victims/) have had access to the servers since they relaunched. As no one knows what happened to Unknown, it is also possible that the threat actor is trying to regain control over the operation. ## REvil likely shut down for good After [REvil conducted a massive attack on companies through a zero-day vulnerability in the](https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-1-000-plus-companies-in-msp-supply-chain-attack/) Kaseya MSP platform, the REvil operation suddenly shut down, and their public-facing representative, Unknown, disappeared. After Unknown did not return, the rest of the REvil operators launched the operation and websites again in September using backups. Since then, the ransomware operation has been struggling to recruit users, going as far as to [increase affiliate's commissions to 90% to entice other threat actors to work with them.](https://twitter.com/y_advintel/status/1446528895537356825) With this latest mishap, the operation in its current forum will likely be gone for good. However, no good thing lasts forever when it comes to ransomware, and we will likely see them rebrand as a new operation shortly. _Thx to_ _[@_TheEmperors_ for the tip!](https://twitter.com/_TheEmperors_)_ ### Related Articles: [Darknet market Versus shuts down after hacker leaks security flaw](https://www.bleepingcomputer.com/news/security/darknet-market-versus-shuts-down-after-hacker-leaks-security-flaw/) [Conti ransomware shuts down operation, rebrands into smaller units](https://www.bleepingcomputer.com/news/security/conti-ransomware-shuts-down-operation-rebrands-into-smaller-units/) [The Week in Ransomware - May 6th 2022 - An evolving landscape](https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-may-6th-2022-an-evolving-landscape/) ----- [Conti, REvil, LockBit ransomware bugs exploited to block encryption](https://www.bleepingcomputer.com/news/security/conti-revil-lockbit-ransomware-bugs-exploited-to-block-encryption/) [REvil ransomware returns: New malware sample confirms gang is back](https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/) [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. -----